Since Safe Harbor was invalidated by Europe’s highest court, companies are understandably scrambling to use alternative data transfer mechanisms. One company that isn’t worried about that, however, is BMC Software, a global IT management provider, which recently was certified for its Binding Corporate Rules (BCRs) as both a controller and processor—the seventh in the world to win such a title.
BMC, which is based in Houston, Texas, but has offices in London, aims to help its 15,000 customers gain a competitive edge through digital innovation. It knew going after BCRs would be a long process and a major commitment, said Elodie Dowling, who’s now corporate vice president. But it decided the risk of not getting BCRs was greater.
Dowling started the process three years ago when she was head of BMC’s EMEA legal department and started to see an increase in interest in negotiations around commercial contracts with customers and that process was becoming more cumbersome.
“We were having to sign more and more data processing agreements and model clauses, and there were security measures that needed to be implemented,” Dowling said. “Each time it was a one-off process and there was always a very customized response each time, depending on which clients you were discussing. I started to look at it from a broader perspective and went back to corporate.”
She told them that the trend of privacy laws was headed toward more stringent rather than more relaxed, so to ensure BMC could handle data globally through entities situated in different geographies, BCRs were the most attractive option. In addition, the underlying responsibility in case of a breach was too high not to go through the process, lengthy as it would be.
“At the time, we were really entering the digital arena, and it became obvious that if we really wanted to almost not bother with personal data—not bother in the sense of wondering if this particular country and this particular customer—and simply upgrade the whole standard throughout our whole entities.
It was clear, however, that the process would require a lot of resources and budget. Dowling said that kind of financial necessity must be planned for ahead of time, with the expectation that not only will documenting for BCRs take manpower and therefore cost, but monitoring accountability will also be costly.
“I came with a pretty strong businesses case,” she said. “Obviously we had decisions around the cost. We initiated those discussions very early on because I wanted everyone to understand that getting the BCR was like getting married. It’s only the beginning of the relationship. Obviously my concern was how do I ensure compliance in the long term. We’re very concerned about post-BCRs."
That’s where Jonathan Perez comes in. His position was created to manage long-term compliance with the BCR standards.
Perez came on board a year and a half ago and is in charge of data privacy and data protection for BMC on a global basis. Perez’s focus is on implementing the rules the company has committed to complying with, he said.
“We’ve created a lot of working groups and privacy groups to bolster the business functions of BMC from procurement to business to marketing to HR—all the business functions,” Perez said, adding the groups have regular meetings on rule implementation and employee training. “We had to modify and deploy new employment agreements” in the HR department, he said of the way one department has had to shift to meet compliance.
More broadly, Dowling said, the purpose of the groups is to gain knowledge from the business function about what current processes are, create a gap analysis based on those answers and then implement remedial actions to bridge the differences between what is and what needs to be.
Dowling emphasized that the documentation aspect of BCRs has been particularly time-consuming—more so than implementing the changes themselves. The changes came before the application was even officially filed.
“We started where we could … early on … even though we didn’t have the BCRs so that we could get toward compliance in a quicker manner. But definitely the documentation part of it was not really in our wheelhouse,” she said.
Dowling was pleased with the working relationship BMC had with French data protection authority the CNIL during the application process because, she said, “the way CNIL was looking at data privacy was pretty much in line with how I had envisioned it with BMC in the sense that they were more looking to evangelization of the matter and training and ensuring that things happened."
It’s not as much about the result, she said, but how you get there.
“There’s no way you can be in line with BCRs if you don’t fundamentally change the thinking of the company and how they handle data,” she said.
In talking to the CNIL, Dowling said she “positioned BMC as, ‘Though we are industry, we are fighting for the same battle.' We are one of the little fighters, the soldiers in the field leading to the same battle, and by going after BCRs for processors, we’ve agreed to push down those values not only with the group within BMC but also all the service providers we are dealing with.”
Framing it that way helped, Dowling said, because it seemed that was how CNIL perceived it as well.
“That was our common understanding,” she said. “We’re in the same boat; we believe in the same values.”
While there’s much to be done still, Dowling said she’s confident she’ll see the resources she needs to ensure compliance, especially because the business side of the house sees data protection as a competitive advantage and actually asks questions about it.
“I have to admit, I know it’s not like this in every company, so we’re pretty fortunate,” she said.
Dowling recommends companies looking for BCRs to do the following:
- Don't start until you're convinced you can get to the end of it; i.e., you have executive support and enough people and financial resources;
- Get the business to buy in on your vision of what BCRs will bring to your company in business terms rather than in legal or compliance terms;
- Be ready to answer questions and doubts on why you should get BCRs throughout the entire process.