Chief privacy officers at companies who've gone after Binding Corporate Rules (BCR) approval in the European Union will largely tell you it was, well, a process. To put it mildly. The Privacy Advisor has spoken with many companies that have obtained BCRs, including First Data, Align Technologies and BMC, who've all shared that the undertaking requires significant time and resources.
Besides the process itself being labor intensive and time consuming, as BMC's Elodie Dowling said, "getting the BCR was like getting married. It’s only the beginning of the relationship."
For most companies, getting approval from a European data protection authority (DPA) for BCRs takes about 18 months. But for New York-based manufacturing company Corning Incorporated, the process took just six months. In the privacy world, that constitutes something of a big deal. How did they do it?
Corning Global Data Privacy Officer Kevin Murphy, CIPP/US, CIPP/E, CIPM, CIPT, says the reason it was able to move the process through so quickly was because the project was built on such a strong foundation and the company made the effort its top data privacy priority, bringing in outside expertise and a dedicated project leader.
"Our team members are experienced, and we routinely complete third-party assessments globally," he said, making the process perhaps more manageable than a company that doesn't regularly complete such assessments.
Sagi Leizerov, CIPP/US, and Christine Ravago, CIPP/US, CIPP/E, of EY worked with Corning on achieving the BCRs. Leizerov said the reason Corning was so successful in pushing the BCRs through quickly is because of the groundwork the company laid in years prior.
"They've been very smart from the beginning about this," Leizerov said.
Knowing it would one day apply for BCRs, the company created a privacy program that could later be applied more broadly.
"It's those basic things that if done well, with an eye not toward BCRs but toward maturity, that would make the BCR process successful."
They took that approach to "avoid duplication efforts when they got ready to start working on their BCRs,” Leizerov said. “That's one important differentiation. Corning has established a good structure and a good governance in how they manage things globally across their business units."
Ravago said the goal was to get the BCRs done quickly, and knowing that, the company established working groups from key business functions across the organization that met regularly. As a result, when those groups needed to provide supporting documents, they could do so swiftly rather than take time introducing people to the process cold every time something was required of any given group.
Its lead regulator was the French data protection authority, the CNIL, with whom Corning says it had a cooperative relationship. Several members of the senior Corning team, including Murphy and the chief information security officer, met with the CNIL in person to discuss its application. Murphy said Corning decided to allow itself a maximum of two weeks to respond to questions CNIL had on its application at any stage in the process.
"I think that the CNIL was supportive of our efforts because we demonstrated how seriously we took the application process," Murphy said. The process went pretty smoothly. The CNIL cited several areas for clarification and Corning had "few, if any, concerns about their requests."
EY's Ravago said working with CNIL in this case was a very positive experience. The head of the CNIL's Directorate for Compliancer, Myriam Gufflet, CIPM, was very focused on execution.
"She stayed on top of it, she stayed focused, she was very aware of timelines," Ravago said. "She ran this like a project, and she didn't put Corning in a position where they were waiting for no good reason."
Murphy led the BCR effort with a core team, including members of the data privacy office as well as regional privacy contacts. He also pulled from various departments within the larger company, including three from its law department, a number of leads within procurement, human resources and IT, and third-party consultants.
While administrative burdens often account for a significant weight of the application process's heavy load, Murphy said Corning front-loaded the administrative work, spending a number of weeks looking at Corning's future with regard to privacy.
"Once we had committed to the necessary process changes," he said, "the work shifted toward change management, which was a lot easier to accomplish given the cross-functional network we had developed and our executive-level support."
Because Corning already had a companywide introductory data privacy course as part of its core compliance offerings, as well as an intermediate data protection course geared toward those with more direct data-handling responsibilities, it easily shifted those already-established trainings to map to BCR requirements, Murphy said.
Leizerov said it was that kind of advanced thinking that pushed the BCRs through so quickly.
In addition, the company had developed a new data-classification system three years ago, which includes a personal data category. Since that time, Corning's security team has rolled out education and awareness activities that "reinforce the importance of classifying and protecting all of Corning's sensitive information, whether it be personal data or our intellectual assets."
Corning's Corporate Communications group pushed those efforts, also, producing frequent articles, posters and internal social media posts focusing on privacy and information protection issues, even translated into 14 languages.
Murphy recommends that companies thinking about applying for BCRs should first assess their business needs.
"This is not necessarily the best solution for everyone," he said, "and will be more successful in companies that have a broad need for cross-border transfers and already have a strong privacy program, including experience with regular, company-wide assessments of privacy practices."
C-suite buy-in is also huge.
"A key success factor was the fact that there was executive-level support to obtain the BCRs," Murphy said. "Any company interested in pursuing BCRs needs to develop or enhance their internal networks and get engagement from nearly every function and business unit before proceeding. This is the important groundwork that will make the application and implementation processes easier."
Leizerov said any large multi-national operating in the EU and elsewhere will at some point find themselves looking at BCRs.
"I think it should be on all large organizations' minds," he said. Looking toward the application program, the thing that will make the biggest impact will be "the things you've done as an organization previously to make the program run effectively, from the way the organization considered the technology to control the data, explaining where the data is and how it's flowing between entities to having a good handle on vendors and third parties the organization is dealing with. All of these things are critical to any accountability program," he said. "It's those basic things that if done well, with an eye not toward BCRs but toward maturity, that would make the BCR process successful."
His advice, then, is to work on the basics.
"Build toward that," he said. "Think of BCR as your stretch goal."
photo credit: GWP Virtual Network Meeting 2015 via photopin (license)