It hasn't been a quick process by any means. But these things never are.
First Data began its effort to win approval for its binding corporate rules (BCRs) in 2007. This month, the UK Information Commissioner's Office (ICO) officially recognized the Georgia-based multinational payment solutions company's BCRs for data processors. Now able to boast it's been approved for both processors and controllers (the latter accomplished in 2011), it's also the first company to have done so under the purview of the ICO.
First Data Chief Privacy Officer (CPO) John Atkins headed up the effort. He reports to Chief Compliance Officer Carmen Menendez-Puerto, who backed him up. While the company is Safe Harbor-certified for its employee data, it was clear even a few years ago when they started the process that it's not necessarily the standard mechanism Europeans like to follow, Atkins said of the decision to pursue BCRs.
"We handle an awful lot of data for our customers," Atkins said. "So we were very interested in how to simplify the process."
Back in 2007, the BCR application process was still fairly new. Knowing he would eventually aim to win BCRs for processors also, Atkins went about setting up a program that could apply to both processors and controllers from the very beginning.
"We weren't going to treat our controller data any differently than we were that of our customers, so we started writing it that way," Atkins said.
Getting approved for controllers took about four years, and the program changed somewhat as the European data protection authorities (DPAs) modified their scheme and structure over time, he added. But later, having controller BCRs under their belt, the processor process was somewhat streamlined.
Atkins said the most labor-intensive part of the process was not so much developing a program that the ICO would be comfortable approving but documenting it.
"Because it's our enterprise-wide data policy, we had to work with (the ICO) on an enterprise basis," he said. "So in addition to having to inform them about the information-security program, they also had to have documentation in a lot of other areas, like how we used and disposed of media, how we contract with vendors, how we communicate with vendors. And literally, it's about showing them everything you have. I was amazed at all the information we provided the first time around."
Menendez-Puerto said the biggest challenge for First Data, because of its global nature, was the process of socializing the BCR program and getting commitment from the relevant parties internally. "Getting them to agree to rigorous standards, making sure they understand BCRs and why they're doing this," she said. "That process of socializing and getting the commitment is time consuming."
For CPOs thinking about going after BCR approval, Atkins said regulators really want to know that your company has not only the underpinnings of strong compliance, privacy awareness and security programs but that those programs are operational.
Atkins traveled to the UK to meet with the ICO directly along with the outside legal counsel First Data hired, UK-based Dentons. It's a practice he highly recommends.
"We met with them to really describe who we were, what we were doing and also, of course, asking them if they'd become our sponsor," Atkins said."I think it's very critical when you're trying to build a relationship. I think it gives them a good understanding of how seriously the company takes data privacy and data protection."
Meeting the ICO face-to-face during the approval process for controllers smoothed the path for the later process of going for processor approval. Because they'd established an in-person relationship, submitting documentation and receiving feedback went somewhat seamlessly.
"It just went a lot smoother the second time around because we'd been through it before and by then, the ICO had had a lot more experience with other DPAs within the BCR program and it didn't take us that long before the ICO was comfortable sending (us) off to those secondary DPAs."
Aside from doing your research and collecting all the information you'll need to show the sponsoring DPA, it's also important to write your information in a way that will be digestible to the regulators, Atkins said.
"DPAs don't have a huge amount of staff, at least in our experience," Atkins said. "So there are times when you'd have to wait quite a while from one step to the next, because they're not only helping one company. They're pulled in a lot of different directions at one time."
Once approval is gained, Menendez-Puerto said the focus becomes about the commitment to the ongoing responsibility to monitor what you're doing.
"You have to make sure you're meeting the standards," she said.
For Cindy Armine-Klein, chief control officer at First Data, the BCR approval means customer satisfaction. Being able to show clients that the company is committed to conforming to the strict data privacy standards of the EU, it can now "offer our clients that peace of mind that comes with knowing they have a trusted partner managing their data."