Operational impact of gdpr finance industries in the caribbean
Understanding Binding Corporate Rules
1. Compliance & Ethics
Professional
a publication of the society of corporate compliance and ethics www.corporatecompliance.org
July
2015
Congratulations, Laura !
an interview with Laura Burke
our 15,000th
member
See page 14
39
U.S./Cuba trade relations
update: Is it all just
political (cigar) smoke?
Jeremy Mauritson
35
Understanding Binding
Corporate Rules
Jan Dhont, Alyssa Cervantes,
and Delphine Charlot
19
Tips for creating
and maintaining a
compliance program
MaryEllen O’Neill
29
Conducting
compliance training in
international locations
Anne Marie Logarta
This article, published in Compliance Ethics Professional, appears here with permission from the Society of Corporate Compliance Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
2. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 35
ComplianceEthicsProfessional July2015
FEATURE
This article is the second of a series of four. The first part
was published in our June 2015 issue.
T
he EU Data Protection Directive will
soon be replaced with the General
Data Protection Regulation (GDPR),
which will impose higher sanctions and
stricter accountability obligations on entities
that process and control the personal
information of individuals within the
European Union (EU). Binding Corporate
Rules (BCRs) can assist in preparing
companies for this new GDPR by offering
a flexible, tailored solution that is already
compliant with a number of proposed
requirements under the new GDPR.
This article will explain: (1) how BCRs
operate; (2) how the BCR authorization
process works; and (3) how BCRs can prepare
multinational companies for the upcoming
General Data Protection Regulation.
How do BCRs operate?
BCRs are a legal mechanism used by
multinational companies to transfer personal
information outside of the EU, regardless of
the geographical location of the
entities of the company group.
BCRs do this by taking the form
of a code of conduct, which sets
forth principles and rules that
will apply to the processing of
personal information within
a company group. Due to this
intra-group framework, BCRs
offer a unique flexibility to
companies that have entities
globally. For instance, the scope
of the BCRs can be limited to
specific data types, such as
customer, vendor, or HR data.
BCRs are also scalable in terms
of the company group entities
involved and can be combined
with other legal data transfer
mechanisms, such as EU Model
Contracts or the US-EU Safe
Harbor framework.
BCRs must be rendered
legally binding on both the
group entities that export
personal information from
Understanding Binding
Corporate Rules
by Jan Dhont, Alyssa Cervantes, and Delphine Charlot
»» Binding Corporate Rules (BCRs) offer a combination of privacy principles, tools of effectiveness, and broad flexibility.
»» There are two types of BCRs: one type for data controllers (generally data owners) and the other for data processors
(vendors or processing agents).
»» Data protection authorities are very supportive of BCRs and have a growing number of BCR applicants.
»» BCRs offer global businesses the unique ability to implement a tailor-made privacy program.
»» BCR applications are expected to increase tenfold when the proposed General Data Protection Regulation is adopted.
Cervantes
Dhont
Charlot
3. 36 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
ComplianceEthicsProfessional July2015 FEATURE
the EU and the corporate entities that
import personal information. This is most
often done by means of an intra-group
agreement, but can also take the form of
unilateral declarations of group companies,
or the incorporation of the group’s general
business principles.
A key component
of BCRs, which
produces a long-term
added value, is
the requirement to
provide for a robust
privacy governance
structure. BCRs are
not simply a policy
or code of conduct,
but they also consist
of implementation
measures, such as
processes laying out
how privacy rights
are administrated
and how complaints are handled and
escalated. In addition, effective control
mechanisms should be put in place, such
as an audit protocol, but also, applicants
can tailor the implementation measures
to suit their needs in light of the business.
A robust governance structure has many
upsides: It increases legal certainty due
to Data Protection Authority (DPA)
checks, ensures a high level of privacy
compliance, and harmonizes future
approaches to privacy compliance within
the group.
Once BCRs are approved, they
provide for a sound legal basis to
exchange personal information,
regardless of the information systems
used. Provided that the BCRs are drafted
broadly enough, they should be able to
accommodate some variation in the types
of data flow.1
Types of BCRs
There are two types of BCRs: one type for
data controllers (BRC-C, generally data
owners) and the other for data processors
(BCR-P, vendors or processing agents).
The standard BCR is the one for data
controllers, known as BCR-C, which apply
to companies that
want to process
data for their own
purposes. An
example is the
sharing of customer
data with other
group entities for
broad customer
relationship
management
purposes. BCR-Cs
also allow
companies to secure
data flows and
to meet their EU
obligations with multiple processors.
Interestingly, until 2013 there was
no adequate mechanism for vendors or
processing agents in the EU to export data.
Therefore, vendors were obliged to impose
the burden for compliance with applicable
data transfer obligations on their clients,
which is commercially impractical. However,
in 2013 BCR-Ps were finally recognized as a
data transfer mechanism for data transfers
to and between group entities of vendors/
data processors.
Under BCR-Ps, the vendor has a
commercial advantage because it reduces the
burden on clients. This is primarily because
BCR-Ps enhance data subjects’ rights by
committing to providing controllers with
relevant information to enable them to
respect their obligations towards data
subjects. Specifically, they provide third-
party beneficiary rights to data subjects and
BCRs are not simply a
policy or code of conduct,
but they also consist of
implementation measures,
such as processes laying
out how privacy rights are
administrated and how
complaints are handled
and escalated.
4. +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 37
ComplianceEthicsProfessional July2015
FEATURE
a liability regime for processors. In turn,
this provides a high level of comfort to the
client and more flexibility with regard to
processor liability.
Some statistics on BCR approvals
In the last few years, multinational
companies have increasingly relied on BCRs.
As a result, the BCR authorization process
has sped up due to increased DPA support.
Currently, it takes around 5 months on
average for lead DPAs to handle applications.
It then takes 3-4 months for mutual
recognition and cooperation procedures
with other DPAs. Finally, companies often
take a certain amount of time to review
the BCR amongst the company group, and
this timing can vary (on average, this takes
8 months).
To date there have been 66 BCRs
approved. Of those approved, 61 are BCR-Cs
and 5 are BCR-Ps (e.g., Atos, First Data
Incorporation). Currently, there are a total
of 42 BCRs in the pipeline, 12 of which
are BCR-Ps.
How can BCRs prepare companies for
new regulation?
With the new proposed GDPR on the horizon
and the Safe Harbor framework on review,
multinational companies should look to ensure
compliance in the face of increased sanctions
and legal uncertainty. Currently, the data
protection laws in the EU are governed by
Directive 1995/46. However, the new GDPR is
projected to be finalized in the coming year.
BCRs can help bridge the gap between the
Directive and the GDPR as BCRs provide for
core obligations that can be found in the GDPR.
This is primarily because to successfully
apply for BCRs, companies need to meet an
accountability standard which mirrors the
requirements of the future GDPR (see Table 1).
It is expected that once the GDPR is adopted,
BCR applications will increase dramatically. ✵
1. Binding Corporate Rules, Frequently asked Questions, p. 4, see:
http://bit.ly/1G8npHi.
Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of
the Koan Lorenz Privacy and Data Protection Practice, Brussels.
Alyssa Cervantes (A.Cervantes@koanlorenz.com) and
Delphine Charlot (D.Charlot@koanlorenz.com) are Associates
in the Koan Lorenz Privacy and Data Protection Practice, Brussels.
Proposed General Data Protection Regulation (GDPR)
Requirements
Binding Corporate
Rules
Concise, transparent, clear, and easily accessible policies demonstrating compliance
üGDPR Compliant
Demonstrable technical/organizational measures
üGDPR Compliant
Privacy Impact Assessments
üGDPR Compliant
Documentation obligation
üGDPR Compliant
Data Protection Officer requirements
üGDPR Compliant
Audit requirements
üGDPR Compliant
Table 1: Accountability Standards