SlideShare a Scribd company logo

Understanding Binding Corporate Rules

Jan Dhont
Jan Dhont
1 of 4
Download to read offline
Compliance & Ethics Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org July 2015 Congratulations, Laura ! an interview with Laura Burke our 15,000th member See page 14 39 U.S./Cuba trade relations update: Is it all just political (cigar) smoke? Jeremy Mauritson 35 Understanding Binding Corporate Rules Jan Dhont, Alyssa Cervantes, and Delphine Charlot 19 Tips for creating and maintaining a compliance program MaryEllen O’Neill 29 Conducting compliance training in international locations Anne Marie Logarta This article, published in Compliance Ethics Professional, appears here with permission from the Society of Corporate Compliance Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
+1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  35 ComplianceEthicsProfessional  July2015 FEATURE This article is the second of a series of four. The first part was published in our June 2015 issue. T he EU Data Protection Directive will soon be replaced with the General Data Protection Regulation (GDPR), which will impose higher sanctions and stricter accountability obligations on entities that process and control the personal information of individuals within the European Union (EU). Binding Corporate Rules (BCRs) can assist in preparing companies for this new GDPR by offering a flexible, tailored solution that is already compliant with a number of proposed requirements under the new GDPR. This article will explain: (1) how BCRs operate; (2) how the BCR authorization process works; and (3) how BCRs can prepare multinational companies for the upcoming General Data Protection Regulation. How do BCRs operate? BCRs are a legal mechanism used by multinational companies to transfer personal information outside of the EU, regardless of the geographical location of the entities of the company group. BCRs do this by taking the form of a code of conduct, which sets forth principles and rules that will apply to the processing of personal information within a company group. Due to this intra-group framework, BCRs offer a unique flexibility to companies that have entities globally. For instance, the scope of the BCRs can be limited to specific data types, such as customer, vendor, or HR data. BCRs are also scalable in terms of the company group entities involved and can be combined with other legal data transfer mechanisms, such as EU Model Contracts or the US-EU Safe Harbor framework. BCRs must be rendered legally binding on both the group entities that export personal information from Understanding Binding Corporate Rules by Jan Dhont, Alyssa Cervantes, and Delphine Charlot »» Binding Corporate Rules (BCRs) offer a combination of privacy principles, tools of effectiveness, and broad flexibility. »» There are two types of BCRs: one type for data controllers (generally data owners) and the other for data processors (vendors or processing agents). »» Data protection authorities are very supportive of BCRs and have a growing number of BCR applicants. »» BCRs offer global businesses the unique ability to implement a tailor-made privacy program. »» BCR applications are expected to increase tenfold when the proposed General Data Protection Regulation is adopted. Cervantes Dhont Charlot
36   www.corporatecompliance.org  +1 952 933 4977 or 888 277 4977 ComplianceEthicsProfessional  July2015 FEATURE the EU and the corporate entities that import personal information. This is most often done by means of an intra-group agreement, but can also take the form of unilateral declarations of group companies, or the incorporation of the group’s general business principles. A key component of BCRs, which produces a long-term added value, is the requirement to provide for a robust privacy governance structure. BCRs are not simply a policy or code of conduct, but they also consist of implementation measures, such as processes laying out how privacy rights are administrated and how complaints are handled and escalated. In addition, effective control mechanisms should be put in place, such as an audit protocol, but also, applicants can tailor the implementation measures to suit their needs in light of the business. A robust governance structure has many upsides: It increases legal certainty due to Data Protection Authority (DPA) checks, ensures a high level of privacy compliance, and harmonizes future approaches to privacy compliance within the group. Once BCRs are approved, they provide for a sound legal basis to exchange personal information, regardless of the information systems used. Provided that the BCRs are drafted broadly enough, they should be able to accommodate some variation in the types of data flow.1 Types of BCRs There are two types of BCRs: one type for data controllers (BRC-C, generally data owners) and the other for data processors (BCR-P, vendors or processing agents). The standard BCR is the one for data controllers, known as BCR-C, which apply to companies that want to process data for their own purposes. An example is the sharing of customer data with other group entities for broad customer relationship management purposes. BCR-Cs also allow companies to secure data flows and to meet their EU obligations with multiple processors. Interestingly, until 2013 there was no adequate mechanism for vendors or processing agents in the EU to export data. Therefore, vendors were obliged to impose the burden for compliance with applicable data transfer obligations on their clients, which is commercially impractical. However, in 2013 BCR-Ps were finally recognized as a data transfer mechanism for data transfers to and between group entities of vendors/ data processors. Under BCR-Ps, the vendor has a commercial advantage because it reduces the burden on clients. This is primarily because BCR-Ps enhance data subjects’ rights by committing to providing controllers with relevant information to enable them to respect their obligations towards data subjects. Specifically, they provide third- party beneficiary rights to data subjects and BCRs are not simply a policy or code of conduct, but they also consist of implementation measures, such as processes laying out how privacy rights are administrated and how complaints are handled and escalated.
+1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  37 ComplianceEthicsProfessional  July2015 FEATURE a liability regime for processors. In turn, this provides a high level of comfort to the client and more flexibility with regard to processor liability. Some statistics on BCR approvals In the last few years, multinational companies have increasingly relied on BCRs. As a result, the BCR authorization process has sped up due to increased DPA support. Currently, it takes around 5 months on average for lead DPAs to handle applications. It then takes 3-4 months for mutual recognition and cooperation procedures with other DPAs. Finally, companies often take a certain amount of time to review the BCR amongst the company group, and this timing can vary (on average, this takes 8 months). To date there have been 66 BCRs approved. Of those approved, 61 are BCR-Cs and 5 are BCR-Ps (e.g., Atos, First Data Incorporation). Currently, there are a total of 42 BCRs in the pipeline, 12 of which are BCR-Ps. How can BCRs prepare companies for new regulation? With the new proposed GDPR on the horizon and the Safe Harbor framework on review, multinational companies should look to ensure compliance in the face of increased sanctions and legal uncertainty. Currently, the data protection laws in the EU are governed by Directive 1995/46. However, the new GDPR is projected to be finalized in the coming year. BCRs can help bridge the gap between the Directive and the GDPR as BCRs provide for core obligations that can be found in the GDPR. This is primarily because to successfully apply for BCRs, companies need to meet an accountability standard which mirrors the requirements of the future GDPR (see Table 1). It is expected that once the GDPR is adopted, BCR applications will increase dramatically. ✵ 1. Binding Corporate Rules, Frequently asked Questions, p. 4, see: http://bit.ly/1G8npHi. Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of the Koan Lorenz Privacy and Data Protection Practice, Brussels. Alyssa Cervantes (A.Cervantes@koanlorenz.com) and Delphine Charlot (D.Charlot@koanlorenz.com) are Associates in the Koan Lorenz Privacy and Data Protection Practice, Brussels. Proposed General Data Protection Regulation (GDPR) Requirements Binding Corporate Rules Concise, transparent, clear, and easily accessible policies demonstrating compliance üGDPR Compliant Demonstrable technical/organizational measures üGDPR Compliant Privacy Impact Assessments üGDPR Compliant Documentation obligation üGDPR Compliant Data Protection Officer requirements üGDPR Compliant Audit requirements üGDPR Compliant Table 1: Accountability Standards

Recommended

Binding corporate rules
Binding corporate rulesBinding corporate rules
Binding corporate rulesLYNX advokatfirma DA
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015Jan Dhont
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 

Recommended

Binding corporate rules
Binding corporate rulesBinding corporate rules
Binding corporate rulesLYNX advokatfirma DA
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
2015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 050520152015-0318 GAC Presentation - BCR - 05052015
2015-0318 GAC Presentation - BCR - 05052015Jan Dhont
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparationPromapp Solutions
 
Operations network meeting 22 January 2019
Operations network meeting 22 January 2019Operations network meeting 22 January 2019
Operations network meeting 22 January 2019MRS
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018MRS
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
EU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection OfficerEU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection OfficerMRS
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataChristina Gagnier
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranDr. Sami Zahran
 
Reasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesReasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesJan Dhont
 
Driving change
Driving changeDriving change
Driving changeReem Allos, MS JD
 

More Related Content

What's hot

A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparationPromapp Solutions
 
Operations network meeting 22 January 2019
Operations network meeting 22 January 2019Operations network meeting 22 January 2019
Operations network meeting 22 January 2019MRS
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018MRS
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
EU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection OfficerEU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection OfficerMRS
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataChristina Gagnier
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?DATUM LLC
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranDr. Sami Zahran
 

What's hot (20)

A practical guide to GDPR preparation
A practical guide to GDPR preparationA practical guide to GDPR preparation
A practical guide to GDPR preparation
 
Operations network meeting 22 January 2019
Operations network meeting 22 January 2019Operations network meeting 22 January 2019
Operations network meeting 22 January 2019
 
Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018Operations network - consent under gdpr 24.01.2018
Operations network - consent under gdpr 24.01.2018
 
MRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair DataMRS Code of Conduct 2019 - Changes to Fair Data
MRS Code of Conduct 2019 - Changes to Fair Data
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
MRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational MeasuresMRS Operations Network: GDPR - Organisational Measures
MRS Operations Network: GDPR - Organisational Measures
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
EU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection OfficerEU Data Protection Regulation: Role of the Data Protection Officer
EU Data Protection Regulation: Role of the Data Protection Officer
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big Data
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?GDPR: Is Your Organization Ready for the General Data Protection Regulation?
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
 

Similar to Understanding Binding Corporate Rules

Reasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesReasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesJan Dhont
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationIBM Security
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...BC Tech Association
 
Top 10 Clauses for CCPA Compliance For Your Vendor Contracts
Top 10 Clauses for CCPA Compliance For Your Vendor ContractsTop 10 Clauses for CCPA Compliance For Your Vendor Contracts
Top 10 Clauses for CCPA Compliance For Your Vendor ContractsAavenir
 
Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Kwanko
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
Embracing Digital Convergence amid Regulatory-Driven Overhauls
Embracing Digital Convergence amid Regulatory-Driven OverhaulsEmbracing Digital Convergence amid Regulatory-Driven Overhauls
Embracing Digital Convergence amid Regulatory-Driven OverhaulsCognizant
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paperGraeme Cross
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgCyber StratG
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Gerson Trigueiros
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
 

Similar to Understanding Binding Corporate Rules (20)

Reasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate RulesReasons to consider Binding Corporate Rules
Reasons to consider Binding Corporate Rules
 
Driving change
Driving changeDriving change
Driving change
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017
 
Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...Special Committee review of the Personal Information Protection Act (PIPA): ...
Special Committee review of the Personal Information Protection Act (PIPA): ...
 
Top 10 Clauses for CCPA Compliance For Your Vendor Contracts
Top 10 Clauses for CCPA Compliance For Your Vendor ContractsTop 10 Clauses for CCPA Compliance For Your Vendor Contracts
Top 10 Clauses for CCPA Compliance For Your Vendor Contracts
 
Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Embracing Digital Convergence amid Regulatory-Driven Overhauls
Embracing Digital Convergence amid Regulatory-Driven OverhaulsEmbracing Digital Convergence amid Regulatory-Driven Overhauls
Embracing Digital Convergence amid Regulatory-Driven Overhauls
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 

Understanding Binding Corporate Rules

  • 1. Compliance & Ethics Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org July 2015 Congratulations, Laura ! an interview with Laura Burke our 15,000th member See page 14 39 U.S./Cuba trade relations update: Is it all just political (cigar) smoke? Jeremy Mauritson 35 Understanding Binding Corporate Rules Jan Dhont, Alyssa Cervantes, and Delphine Charlot 19 Tips for creating and maintaining a compliance program MaryEllen O’Neill 29 Conducting compliance training in international locations Anne Marie Logarta This article, published in Compliance Ethics Professional, appears here with permission from the Society of Corporate Compliance Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
  • 2. +1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  35 ComplianceEthicsProfessional  July2015 FEATURE This article is the second of a series of four. The first part was published in our June 2015 issue. T he EU Data Protection Directive will soon be replaced with the General Data Protection Regulation (GDPR), which will impose higher sanctions and stricter accountability obligations on entities that process and control the personal information of individuals within the European Union (EU). Binding Corporate Rules (BCRs) can assist in preparing companies for this new GDPR by offering a flexible, tailored solution that is already compliant with a number of proposed requirements under the new GDPR. This article will explain: (1) how BCRs operate; (2) how the BCR authorization process works; and (3) how BCRs can prepare multinational companies for the upcoming General Data Protection Regulation. How do BCRs operate? BCRs are a legal mechanism used by multinational companies to transfer personal information outside of the EU, regardless of the geographical location of the entities of the company group. BCRs do this by taking the form of a code of conduct, which sets forth principles and rules that will apply to the processing of personal information within a company group. Due to this intra-group framework, BCRs offer a unique flexibility to companies that have entities globally. For instance, the scope of the BCRs can be limited to specific data types, such as customer, vendor, or HR data. BCRs are also scalable in terms of the company group entities involved and can be combined with other legal data transfer mechanisms, such as EU Model Contracts or the US-EU Safe Harbor framework. BCRs must be rendered legally binding on both the group entities that export personal information from Understanding Binding Corporate Rules by Jan Dhont, Alyssa Cervantes, and Delphine Charlot »» Binding Corporate Rules (BCRs) offer a combination of privacy principles, tools of effectiveness, and broad flexibility. »» There are two types of BCRs: one type for data controllers (generally data owners) and the other for data processors (vendors or processing agents). »» Data protection authorities are very supportive of BCRs and have a growing number of BCR applicants. »» BCRs offer global businesses the unique ability to implement a tailor-made privacy program. »» BCR applications are expected to increase tenfold when the proposed General Data Protection Regulation is adopted. Cervantes Dhont Charlot
  • 3. 36   www.corporatecompliance.org  +1 952 933 4977 or 888 277 4977 ComplianceEthicsProfessional  July2015 FEATURE the EU and the corporate entities that import personal information. This is most often done by means of an intra-group agreement, but can also take the form of unilateral declarations of group companies, or the incorporation of the group’s general business principles. A key component of BCRs, which produces a long-term added value, is the requirement to provide for a robust privacy governance structure. BCRs are not simply a policy or code of conduct, but they also consist of implementation measures, such as processes laying out how privacy rights are administrated and how complaints are handled and escalated. In addition, effective control mechanisms should be put in place, such as an audit protocol, but also, applicants can tailor the implementation measures to suit their needs in light of the business. A robust governance structure has many upsides: It increases legal certainty due to Data Protection Authority (DPA) checks, ensures a high level of privacy compliance, and harmonizes future approaches to privacy compliance within the group. Once BCRs are approved, they provide for a sound legal basis to exchange personal information, regardless of the information systems used. Provided that the BCRs are drafted broadly enough, they should be able to accommodate some variation in the types of data flow.1 Types of BCRs There are two types of BCRs: one type for data controllers (BRC-C, generally data owners) and the other for data processors (BCR-P, vendors or processing agents). The standard BCR is the one for data controllers, known as BCR-C, which apply to companies that want to process data for their own purposes. An example is the sharing of customer data with other group entities for broad customer relationship management purposes. BCR-Cs also allow companies to secure data flows and to meet their EU obligations with multiple processors. Interestingly, until 2013 there was no adequate mechanism for vendors or processing agents in the EU to export data. Therefore, vendors were obliged to impose the burden for compliance with applicable data transfer obligations on their clients, which is commercially impractical. However, in 2013 BCR-Ps were finally recognized as a data transfer mechanism for data transfers to and between group entities of vendors/ data processors. Under BCR-Ps, the vendor has a commercial advantage because it reduces the burden on clients. This is primarily because BCR-Ps enhance data subjects’ rights by committing to providing controllers with relevant information to enable them to respect their obligations towards data subjects. Specifically, they provide third- party beneficiary rights to data subjects and BCRs are not simply a policy or code of conduct, but they also consist of implementation measures, such as processes laying out how privacy rights are administrated and how complaints are handled and escalated.
  • 4. +1 952 933 4977 or 888 277 4977  www.corporatecompliance.org  37 ComplianceEthicsProfessional  July2015 FEATURE a liability regime for processors. In turn, this provides a high level of comfort to the client and more flexibility with regard to processor liability. Some statistics on BCR approvals In the last few years, multinational companies have increasingly relied on BCRs. As a result, the BCR authorization process has sped up due to increased DPA support. Currently, it takes around 5 months on average for lead DPAs to handle applications. It then takes 3-4 months for mutual recognition and cooperation procedures with other DPAs. Finally, companies often take a certain amount of time to review the BCR amongst the company group, and this timing can vary (on average, this takes 8 months). To date there have been 66 BCRs approved. Of those approved, 61 are BCR-Cs and 5 are BCR-Ps (e.g., Atos, First Data Incorporation). Currently, there are a total of 42 BCRs in the pipeline, 12 of which are BCR-Ps. How can BCRs prepare companies for new regulation? With the new proposed GDPR on the horizon and the Safe Harbor framework on review, multinational companies should look to ensure compliance in the face of increased sanctions and legal uncertainty. Currently, the data protection laws in the EU are governed by Directive 1995/46. However, the new GDPR is projected to be finalized in the coming year. BCRs can help bridge the gap between the Directive and the GDPR as BCRs provide for core obligations that can be found in the GDPR. This is primarily because to successfully apply for BCRs, companies need to meet an accountability standard which mirrors the requirements of the future GDPR (see Table 1). It is expected that once the GDPR is adopted, BCR applications will increase dramatically. ✵ 1. Binding Corporate Rules, Frequently asked Questions, p. 4, see: http://bit.ly/1G8npHi. Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of the Koan Lorenz Privacy and Data Protection Practice, Brussels. Alyssa Cervantes (A.Cervantes@koanlorenz.com) and Delphine Charlot (D.Charlot@koanlorenz.com) are Associates in the Koan Lorenz Privacy and Data Protection Practice, Brussels. Proposed General Data Protection Regulation (GDPR) Requirements Binding Corporate Rules Concise, transparent, clear, and easily accessible policies demonstrating compliance üGDPR Compliant Demonstrable technical/organizational measures üGDPR Compliant Privacy Impact Assessments üGDPR Compliant Documentation obligation üGDPR Compliant Data Protection Officer requirements üGDPR Compliant Audit requirements üGDPR Compliant Table 1: Accountability Standards