The UK’s data protection regulator, the ICO, recently issued new guidance and rules for the approval of Binding Corporate Rules (BCRs) under the UK’s general data protection law (the UK GDPR).
The ICO’s revised approach will bring several changes and potential benefits for multinational organisations seeking UK BCRs. However, organisations seeking to put in place BCRs in both the EU and UK will now need to navigate divergent processes and requirements.
What are BCRs?
The UK GDPR regime restricts the transfer of personal data outside the UK. Personal data subject to the UK GDPR regime can only be transferred out of the UK if the transfer is based on one of a few permitted transfer mechanisms. Most international transfers under the UK GDPR rely on:
- an official finding that the destination country offers adequate safeguards – however relatively few countries have ‘adequacy’ findings and that list does not include many major markets such as the US, China and India;
- officially mandated standard contractual clauses (SCCs) (aka International Data Transfer Agreements (IDTAs)); or
- BCRs approved by the ICO, which can be used for transfers within multinational companies or groups of enterprises. BCRs are a set of internal rules that regulate international personal data transfers within the group and confer enforceable rights on the individuals whose personal data is transferred.
BCRs were developed under EU data protection law, which contains similar restrictions on transfers of personal data outside of the European Economic Area (EEA). They are widely considered to be a ‘gold standard’ given that they are approved by a regulator. For many group companies, BCRs are an efficient mechanism as a single BCR regime can be used to eliminate the need to put in place (and maintain) numerous contractual SCCs to cover intra-group data transfers.
Unfortunately, the process of obtaining BCRs in both the UK and EU has historically been notoriously costly and time consuming (in some cases taking years). This has reduced the uptake of BCRs since using SCCs as an alternative is relatively simple and does not require regulatory approvals.
What has changed?
The ICO has made a number of key changes that aim to simplify and quicken the UK BCR application process, including:
- revised requirements centered around an outcome, and ‘principles based’, approach that dispenses with the need to include specific wording. This may allow organisations to better tailor their BCRs to align with their culture and needs;
- simplification of the application forms and requirements;
- changes designed to eliminate the need for unnecessary duplication of information as part of the application process; and
- the key list of requirements known as the ‘referential tables’ have been simplified and recast. For example, there is now just one core UK referential table, plus an additional annex for those seeking processors BCRs. In contrast, the EU data protection regime will continue to have two entirely separate (and more complex) referential tables for controller BCRs and processor BCRs.
Under the ICO’s new approach a UK BCR will include:
- an application form plus completed referential tables;
- a binding instrument: this is the mechanism that makes the UK BCRs binding and enforceable both internally and externally by third party data subjects. The ICO has said it will usually prefer the instrument to be an intra-group agreement;
- a BCR policy: a document to be made publicly available to inform individuals about how the BCR will apply to their data and rights. The policy must ensure data subjects understand they have enforceable rights under the BCRs; and
- internal policies and procedures in support of the BCRs.
The UK BCR regime will continue to distinguish between ‘controller’ and ‘processor’ BCRs.
BCRs aren’t enough on their own!
Before BCRs (or SCCs) may be used to make a transfer of personal data out of the UK, a ‘transfer risk assessment’ (TRA) must be undertaken for the specific transfer to ensure appropriate safeguards are in place in the circumstances. TRAs must consider various factors, such as the surveillance laws of the destination country.
The ICO’s updated guidance confirms that:
- UK BCRs do not remove the requirement to conduct a TRA for each transfer;
- organisations must regularly review their TRAs and adjust their UK BCRs to address any risks identified; and
- the ICO may audit the TRAs at any time.
A TRA can be a complicated exercise and challenging for many organisations, but the new guidance confirms that TRAs will not need to be submitted to the ICO as part of the BCR approval process.
Organisations with approved BCRs must also ensure they meet all the various other compliance requirements under data protection law that are not specific to international transfers (including compliance with each of the data protection principles and rights of data subjects).
Looking ahead
The ICO’s desire to simplify and shorten the BCR process is admirable. Nevertheless, UK BCR applications will remain a major project for any organisation and will need to be carefully managed by the organisation and their advisors to ensure the process runs efficiently.
The main beneficiaries of the changes may be organisations seeking only UK BCRs. The ICO’s new approach to BCRs differs sharply from the approach taken in the EU and the ICO has indicated it is not possible to co-mingle UK BCRs with EU BCRs. Companies will therefore have to navigate two different application processes and requirements to obtain both EU and UK BCRs. This may bring further overheads.
It also remains to be seen if the ICO’s new approach will result in quicker BCR applications. For example, the less prescriptive approach may require the ICO to spend more time considering the documents submitted.
The ICO has said it will keep its approach to UK BCRs under review and will look for opportunities to improve its guidance and BCR processes in the future.