Hewlett-Packard (HP) has become the first company to be approved under both the Binding Corporate Rules (BCR) and Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules (CBPR) systems, a process streamlined by the G29 and APEC countries' release of a "Referential" at the IAPP's Global Privacy Summit last March. The Referential is a practical tool mapping the commonalities and differences in the requirements between the two frameworks.
Getting approved wasn’t a spontaneous decision by any means; HP made a decision to put the wheels in motion before BCRs were even a legal reality. Back in 2003, executives started talking with data protection authorities (DPAs) in Europe about the very concept and ways infrastructure may be put in place to support it.
“It’s really part of the long-term vision,” said Daniel Pradelles, CIPP/US, HP’s privacy officer for Europe, the Middle East and Africa, who facilitated the BCR application process under the supervision of HP’s lead data protection authority for the certification, France’s CNIL. “The BCR is really the glue, putting together all the different modules necessary for a company.”
HP VP and Chief Privacy Officer Scott Taylor, CIPP/US, said the company is a huge proponent of accountability via binding co-regulatory programs like BCRs and CBPRs because they require a company to hold itself to a higher standard globally in a comprehensive way, giving data subjects an additional level of confidence in the organizations with which they’re working. “We actually hold a high hope in not only raising the standard of privacy through these programs but the ability to harmonize their objectives in a way that allows a large, global multinational to meet the expectations of the data subjects and at the same time create some uniformity in terms of how we actually comply with different laws and jurisdictions,” Taylor said.
And uniformity is important when you’re a company the size of HP, operating in as many jurisdictions as it does and trying to tell its thousands of employees how to handle data.
“Complying jurisdiction-by-jurisdiction does not match the way data is being used,” he said.
Besides that, problems exist because of the age-old story in which technology consistently races ahead of the pace of the law. So additional mechanisms are needed to patch up the leaks, Taylor said. BCRs and CBPRs are some of the methodologies helping businesses cope.
“The gap between the guidance the laws can provide and some of these new business models and technologies needs to be filled with something," he said, "so our concept for a long time has been concepts of organization accountability and social responsibility as a mechanism to fill the gap between the laws—which are always going to be behind—and the challenges we face in today’s business environment.”
The BCR Process: A Daunting Task?
The BCR process has certainly evolved over time, said Pradelles. In the beginning, it wasn’t always clear what the expectations were or how the process would go down. GE was the first company to attempt BCR certification, and reportedly had a heck of a time. But in the more than 10 years of its evolution, the BCR process has become much more streamlined.
But isn’t it still a laborious process? That seems to be its reputation.
No, Pradelles said. That’s more myth than truth.
“There is often a confusion between building the infrastructure supporting the BCR that a company should and must have in place, BCR or not, and the BCR itself, which is the documentation. Often people are mixing them together,” he said.
Yes, it’s an expensive and extensive process, but it’s something a company must have in place anyway if it wants to succeed.
Taylor said there was nothing about the BCR process that was difficult, laborious or challenging. A company should have similar data protection processes in place in any case, he said, so simply documenting that it does, using guidance documents like Working Document 153 and 154 under the general BCR framework, isn’t particularly taxing.
Plus, the process can move at your pace.
“It requires you to slowly evolve your program to the objectives of 153 and 154, and that’s something you can do over time,” Taylor said. “As you get closer, it’s a matter of sitting down and documenting the substantiation.”
He added that the criteria in the BCR and CBPR systems is a perfect architecture for establishing a solid privacy program, whether you end up going through the BCR process or not.
While Pradelles was working on getting HP approved for BCRs, Jacobo Esquenazi, HP’s privacy officer for the Americas, was leveraging that groundwork to certify the company for APEC’s Cross-Border Privacy Rules. While a company seeking to certify under both frameworks could ostensibly do it in whatever order it pleases, Pradelles, Esquenazi and Taylor agree that because the BCR framework is more robust, it probably makes most sense to do your homework toward that program first and then be most of the way there already when you contact the accountability agent who’ll oversee your company’s CBPR application.
Esquenazi said he wouldn’t necessarily call the CBPR certification process easier than that of BCRs but did say there are differences and he certainly had an easier time substantiating the application given the work his colleagues had already done on BCRs.
“If you had your CBPR certification, it probably satisfies a third of the BCR,” Taylor said. “In reverse, the goal is that if you have completed your substantiation from BCR, it should really satisfy 90-plus percent of the CBPR. Because we started in Europe, it really made the CBPR process relatively simple. Either way, there’s a benefit to organizations no matter where they start. The good news is there will be a body of work you won’t lose, and you can leverage it in achieving the other.”
So what should companies prepare for when thinking about going for certification under either voluntary framework?
You’ve got to have support from the top, and it has to be part of a vision, Pradelles said.
“BCR is not something you do in the kitchen,” he said. “This is something important which has to be integrated into a vision of privacy in the company.”
Also, he said, you’ve got to do your homework before you even look to the DPA for discussion.
Esquenazi echoed the advice for CBPRs. He said to remember that while the certification may look more transactional, you better have done the work to put a strong program in place, including dotting your Is and crossing your Ts, or certification isn’t going to happen.
“It has to have meat in it,” he said of the privacy program.