Embed Size (px)
Citation preview
Compliance & EthicsProfessional
a publication of the society of corporate compliance and ethics www.corporatecompliance.org
July
2015
Congratulations, Laura !an interview with Laura Burkeour 15,000th member
See page 14
39U.S./Cuba trade relations
update: Is it all just political (cigar) smoke?
Jeremy Mauritson
35 Understanding Binding
Corporate RulesJan Dhont, Alyssa Cervantes,
and Delphine Charlot
19Tips for creating
and maintaining a compliance program
MaryEllen O’Neill
29Conducting
compliance training in international locations
Anne Marie Logarta
This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 35
Com
pli
ance
& E
thic
s P
rofe
ssio
nal
J
uly
2015
FEATURE
This article is the second of a series of four. The first part was published in our June 2015 issue.
The EU Data Protection Directive will soon be replaced with the General Data Protection Regulation (GDPR),
which will impose higher sanctions and stricter accountability obligations on entities that process and control the personal information of individuals within the European Union (EU). Binding Corporate Rules (BCRs) can assist in preparing companies for this new GDPR by offering a flexible, tailored solution that is already compliant with a number of proposed requirements under the new GDPR.
This article will explain: (1) how BCRs operate; (2) how the BCR authorization process works; and (3) how BCRs can prepare multinational companies for the upcoming General Data Protection Regulation.
How do BCRs operate?BCRs are a legal mechanism used by multinational companies to transfer personal information outside of the EU, regardless of
the geographical location of the entities of the company group. BCRs do this by taking the form of a code of conduct, which sets forth principles and rules that will apply to the processing of personal information within a company group. Due to this intra-group framework, BCRs offer a unique flexibility to companies that have entities globally. For instance, the scope of the BCRs can be limited to specific data types, such as customer, vendor, or HR data. BCRs are also scalable in terms of the company group entities involved and can be combined with other legal data transfer mechanisms, such as EU Model Contracts or the US-EU Safe Harbor framework.
BCRs must be rendered legally binding on both the group entities that export personal information from
Understanding Binding Corporate Rules
by Jan Dhont, Alyssa Cervantes, and Delphine Charlot
» Binding Corporate Rules (BCRs) offer a combination of privacy principles, tools of effectiveness, and broad flexibility.
» There are two types of BCRs: one type for data controllers (generally data owners) and the other for data processors (vendors or processing agents).
» Data protection authorities are very supportive of BCRs and have a growing number of BCR applicants.
» BCRs offer global businesses the unique ability to implement a tailor-made privacy program.
» BCR applications are expected to increase tenfold when the proposed General Data Protection Regulation is adopted.
Cervantes
Dhont
Charlot
36 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
Com
pli
ance
& E
thic
s P
rofe
ssio
nal
J
uly
2015
FEATURE
the EU and the corporate entities that import personal information. This is most often done by means of an intra-group agreement, but can also take the form of unilateral declarations of group companies, or the incorporation of the group’s general business principles.
A key component of BCRs, which produces a long-term added value, is the requirement to provide for a robust privacy governance structure. BCRs are not simply a policy or code of conduct, but they also consist of implementation measures, such as processes laying out how privacy rights are administrated and how complaints are handled and escalated. In addition, effective control mechanisms should be put in place, such as an audit protocol, but also, applicants can tailor the implementation measures to suit their needs in light of the business. A robust governance structure has many upsides: It increases legal certainty due to Data Protection Authority (DPA) checks, ensures a high level of privacy compliance, and harmonizes future approaches to privacy compliance within the group.
Once BCRs are approved, they provide for a sound legal basis to exchange personal information, regardless of the information systems used. Provided that the BCRs are drafted broadly enough, they should be able to accommodate some variation in the types of data flow.1
Types of BCRsThere are two types of BCRs: one type for data controllers (BRC-C, generally data owners) and the other for data processors (BCR-P, vendors or processing agents).
The standard BCR is the one for data controllers, known as BCR-C, which apply
to companies that want to process data for their own purposes. An example is the sharing of customer data with other group entities for broad customer relationship management purposes. BCR-Cs also allow companies to secure data flows and to meet their EU
obligations with multiple processors. Interestingly, until 2013 there was
no adequate mechanism for vendors or processing agents in the EU to export data. Therefore, vendors were obliged to impose the burden for compliance with applicable data transfer obligations on their clients, which is commercially impractical. However, in 2013 BCR-Ps were finally recognized as a data transfer mechanism for data transfers to and between group entities of vendors/data processors.
Under BCR-Ps, the vendor has a commercial advantage because it reduces the burden on clients. This is primarily because BCR-Ps enhance data subjects’ rights by committing to providing controllers with relevant information to enable them to respect their obligations towards data subjects. Specifically, they provide third-party beneficiary rights to data subjects and
BCRs are not simply a policy or code of conduct,
but they also consist of implementation measures, such as processes laying
out how privacy rights are administrated and how complaints are handled
and escalated.
+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 37
Com
pli
ance
& E
thic
s P
rofe
ssio
nal
J
uly
2015
FEATURE
a liability regime for processors. In turn, this provides a high level of comfort to the client and more flexibility with regard to processor liability.
Some statistics on BCR approvalsIn the last few years, multinational companies have increasingly relied on BCRs. As a result, the BCR authorization process has sped up due to increased DPA support. Currently, it takes around 5 months on average for lead DPAs to handle applications. It then takes 3-4 months for mutual recognition and cooperation procedures with other DPAs. Finally, companies often take a certain amount of time to review the BCR amongst the company group, and this timing can vary (on average, this takes 8 months).
To date there have been 66 BCRs approved. Of those approved, 61 are BCR-Cs and 5 are BCR-Ps (e.g., Atos, First Data Incorporation). Currently, there are a total of 42 BCRs in the pipeline, 12 of which are BCR-Ps.
How can BCRs prepare companies for new regulation?With the new proposed GDPR on the horizon and the Safe Harbor framework on review, multinational companies should look to ensure compliance in the face of increased sanctions and legal uncertainty. Currently, the data protection laws in the EU are governed by Directive 1995/46. However, the new GDPR is projected to be finalized in the coming year. BCRs can help bridge the gap between the Directive and the GDPR as BCRs ensure that companies will be GDPR compliant. This is primarily because to successfully apply for BCRs, companies need to meet an accountability standard which mirrors the requirements of the future GDPR (see Table 1). It is expected that once the GDPR is adopted, BCR applications will increase dramatically. ✵ 1. Binding Corporate Rules, Frequently asked Questions, p. 4, see:
http://bit.ly/1G8npHi. Jan Dhont ([email protected]) is Partner and Head of the Koan Lorenz Privacy and Data Protection Practice, Brussels. Alyssa Cervantes ([email protected]) and Delphine Charlot ([email protected]) are Associates in the Koan Lorenz Privacy and Data Protection Practice, Brussels.
Proposed General Data Protection Regulation (GDPR) Requirements
Binding Corporate Rules
Concise, transparent, clear, and easily accessible policies demonstrating compliance ü GDPR Compliant
Demonstrable technical/organizational measures ü GDPR Compliant
Privacy Impact Assessments ü GDPR Compliant
Documentation obligation ü GDPR Compliant
Data Protection Officer requirements ü GDPR Compliant
Audit requirements ü GDPR Compliant
Table 1: Accountability Standards
