News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | BMC Wins BCRs for Controllers and Processors: Here's What That Process Looked Like Related reading: TRUSTe Approved as APEC Accountability Agent; Belgium Approves New BCRs

rss_feed

""

""

Since Safe Harbor was invalidated by Europe’s highest court, companies are understandably scrambling to use alternative data transfer mechanisms. One company that isn’t worried about that, however, is BMC Software, a global IT management provider, which recently was certified for its Binding Corporate Rules (BCRs) as both a controller and processor—the seventh in the world to win such a title.

BMC, which is based in Houston, Texas, but has offices in London, aims to help its 15,000 customers gain a competitive edge through digital innovation. It knew going after BCRs would be a long process and a major commitment, said Elodie Dowling, who’s now corporate vice president. But it decided the risk of not getting BCRs was greater. 

Dowling started the process three years ago when she was head of BMC’s EMEA legal department and started to see an increase in interest in negotiations around commercial contracts with customers and that process was becoming more cumbersome.

“We were having to sign more and more data processing agreements and model clauses, and there were security measures that needed to be implemented,” Dowling said. “Each time it was a one-off process and there was always a very customized response each time, depending on which clients you were discussing. I started to look at it from a broader perspective and went back to corporate.”

She told them that the trend of privacy laws was headed toward more stringent rather than more relaxed, so to ensure BMC could handle data globally through entities situated in different geographies, BCRs were the most attractive option. In addition, the underlying responsibility in case of a breach was too high not to go through the process, lengthy as it would be.

“At the time, we were really entering the digital arena, and it became obvious that if we really wanted to almost not bother with personal data—not bother in the sense of wondering if this particular country and this particular customer—and simply upgrade the whole standard throughout our whole entities.

It was clear, however, that the process would require a lot of resources and budget. Dowling said that kind of financial necessity must be planned for ahead of time, with the expectation that not only will documenting for BCRs take manpower and therefore cost, but monitoring accountability will also be costly.

“I came with a pretty strong businesses case,” she said. “Obviously we had decisions around the cost. We initiated those discussions very early on because I wanted everyone to understand that getting the BCR was like getting married. It’s only the beginning of the relationship. Obviously my concern was how do I ensure compliance in the long term. We’re very concerned about post-BCRs."

That’s where Jonathan Perez comes in. His position was created to manage long-term compliance with the BCR standards.

Perez came on board a year and a half ago and is in charge of data privacy and data protection for BMC on a global basis. Perez’s focus is on implementing the rules the company has committed to complying with, he said.

“We’ve created a lot of working groups and privacy groups to bolster the business functions of BMC from procurement to business to marketing to HR—all the business functions,” Perez said, adding the groups have regular meetings on rule implementation and employee training. “We had to modify and deploy new employment agreements” in the HR department, he said of the way one department has had to shift to meet compliance.

More broadly, Dowling said, the purpose of the groups is to gain knowledge from the business function about what current processes are, create a gap analysis based on those answers and then implement remedial actions to bridge the differences between what is and what needs to be.

Dowling emphasized that the documentation aspect of BCRs has been particularly time-consuming—more so than implementing the changes themselves. The changes came before the application was even officially filed.

“We started where we could … early on … even though we didn’t have the BCRs so that we could get toward compliance in a quicker manner. But definitely the documentation part of it was not really in our wheelhouse,” she said.

Dowling was pleased with the working relationship BMC had with French data protection authority the CNIL during the application process because, she said, “the way CNIL was looking at data privacy was pretty much in line with how I had envisioned it with BMC in the sense that they were more looking to evangelization of the matter and training and ensuring that things happened."

It’s not as much about the result, she said, but how you get there.

“There’s no way you can be in line with BCRs if you don’t fundamentally change the thinking of the company and how they handle data,” she said.

In talking to the CNIL, Dowling said she “positioned BMC as, ‘Though we are industry, we are fighting for the same battle.' We are one of the little fighters, the soldiers in the field leading to the same battle, and by going after BCRs for processors, we’ve agreed to push down those values not only with the group within BMC but also all the service providers we are dealing with.”

Framing it that way helped, Dowling said, because it seemed that was how CNIL perceived it as well.

“That was our common understanding,” she said. “We’re in the same boat; we believe in the same values.”

While there’s much to be done still, Dowling said she’s confident she’ll see the resources she needs to ensure compliance, especially because the business side of the house sees data protection as a competitive advantage and actually asks questions about it.

“I have to admit, I know it’s not like this in every company, so we’re pretty fortunate,” she said. 

Dowling recommends companies looking for BCRs to do the following: 

  • Don't start until you're convinced you can get to the end of it; i.e., you have executive support and enough people and financial resources;
  • Get the business to buy in on your vision of what BCRs will bring to your company in business terms rather than in legal or compliance terms;
  • Be ready to answer questions and doubts on why you should get BCRs throughout the entire process.

 

Author
Headshot Angelique Carson Nonmember Contributor
Tags
Europe
Privacy Operations Management
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
First Data the First With Double BCRs Through ICO
U.S.-based First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007, back when the process was young and still evolving. This month, the UK Information Commissioner's Office (ICO) officially recognized the multinational payment solutions company's BCRs for data proc...
Read More queue Save This
Are You Ready for BCRs?
“Do you really want to put yourself up for the scrutiny of a regulator?” Jannine Aston, director, privacy compliance and policy, international, at Verizon Business, posed that question to assembled attendees at last week’s Global Privacy Summit before explaining the litany of benefits associated wit...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Operations Management
Transborder Data Flow
Recent Comments