“Do you really want to put yourself up for the scrutiny of a regulator?”
Jannine Aston, director, privacy compliance and policy, international, at Verizon Business, posed that question to assembled attendees at last week’s Global Privacy Summit before explaining the litany of benefits associated with approved Binding Corporate Rules (BCRs). Along with Sian Rudgard, CIPP/E, of counsel at Hogan Lovells, Aston spoke about the process of forming BCRs for European data transfers and the many considerations for deciding if BCRs are right for your company.
One of the most daunting is that initial and singular question.
Even though BCRs will invite data protection authorities (DPAs) to take a close look into the data practices of your company, the benefits of BCRs potentially allowing information on European data subjects to be transferred worldwide within an organization are undeniable. Not only do BCRs make data transfers a simple process, but they can also be a great way to understand what your company does with data. The process of applying for an approved BCR forces a company to do a full inventory of what data is collected and retained and how it is done.
Many companies have myriad ways that they comply with data transfer regulations, whether it be model clauses in contracts or Safe Harbor adequacy in the U.S. BCRs can consolidate these modes of compliance into one omnibus policy, Aston and Rudgard agreed. Moreover, the requirements of BCRs, which can be found in the European Commission Article 29 Working Party’s Working Paper 153 for data controllers and Working Paper 195 for data processors, are in line with many of the regulations of highly regulated—and therefore scrutinized—industries in the U.S., such as the financial sector.
Depending on customer base, BCRs can even be used as a marketing tool. For many European customers, having BCRs will separate a company from the rest of the pack.
Rudgard went as far as saying, “BCRs can future-proof your company.” Under the proposed European Data Regulation, companies may be required to show how they are complying with the regulation and be accountable, even prior to an incident. Having BCRs in place will go a long way to show the DPAs that your company is making the effort to comply. Rudgard went on to say that BCRs should be considered, “Not just a European solution, but it can be a worldwide solution for privacy compliance.” Although different countries have varying privacy regimes that sometimes conflict, the requirements of BCRs incorporate the basic tenets of the Fair Information Practice Principles that are used throughout the world.
When applying or considering applying for BCRs, a good place to start is examining the BCRs of the 60 or so companies that have successfully applied for approval. All of these BCRs can be found on the European Commission website. Aston and Rudgard were also quick to point out that it is wise to reach out to and become familiar with the lead DPA before beginning to draft BCRs. Which DPA is the “lead DPA” for your organization differs depending on several criteria set out by the Article 29 Working Party that can also be found on the European Commission website. Each DPA has its own nuances and focuses; therefore, it is advisable to get to know the peculiarities of the particular lead DPA your organization will be working with prior to putting the pen to paper on a BCR draft.
Once your organization has reached out to the lead DPA, it is time to draft BCRs. BCR requirements focus on subject access, avenues for handling complaints, audit protocols and cooperation procedures that outline how to engage DPAs in case of a breach or a failure to comply with BCRs. After BCRs are written and submitted, they are up for review by various DPAs. The lead DPA will work with your organization to update the draft in light of the critiques and finalize the BCR. Finalizing the BCRs requires an organization to operationalize a binding mechanism, whether it be a unilateral declaration by a corporation that it and all of its subsidiaries will comply with the BCRs or intergroup agreements that contractually bind the subparts of the organization.
After a BCR applications is approved, it is important to note that some EU countries will still require companies to seek permits on the BCRs before putting them into action. BCRs do not have to be and oftentimes are not for the totality of data held by a company. It is likely best for an organization to start with a small subset of data to be approved for BCRs, for instance European human resource data.
The process for obtaining BCRs can be long and expensive. However, Aston was confident that, in the long run, BCRs are worth the effort because an organization avoids all the ad hoc expenses that come with finding data transfer solutions every time they are needed.
If you want to comment on this post, you need to login.