Binding Corporate Rules (BCRs) have existed since 2003. They were developed by the European data protection authorities, to facilitate intra-group data transfers for multinationals. They are based on the provision in Directive 95/46/EC to transfer personal data on the basis of adequate safeguards. BCRs are essentially a set of guidelines to facilitate data transfer outside the EU, allowing an organisation to process personal data according to an approved set of rules. In the GDPR, BCRs will be formally recognised. In Recital 110 GDPR, it is stated that in order for the BCR to gain approval from the DPA, the rules will need to include “all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data”.
It is important to stress here that BCRs are legally binding under the GDPR. They are not a random code of conduct or document. There are serious implications within the organisations enforceable for every member of the group, no matter where they are located. The intention here is to strengthen the rights of data subjects, allowing them protection under the GDPR regardless of where they are in the world, and to ensure data protection compliant privacy programs are maintained within organisations.
Article 47(2) of the GDPR provides an overview of all necessary inclusions in BCRs. A great deal of this information will overlap with documentation your organisation is compiling for GDPR readiness, and in particular, much of the same information will be captured in your Article 30 Records of Processing Activities (RPA). This includes, but is not limited to:
- The data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question
- The application of the GDPR principles
- Rights of data subjects, complaint procedures, compliance verification and reporting structures
- Mandatory cooperation with the lead DPA
PMAs for BCRs
Nymity has identified 39 Privacy Management Activities (PMAs) that should be maintained to deal with BCRs within an organisation. Out of these 39 PMAs, 28 overlap with the PMAs that organisations are maintaining for GDPR compliance. Some of these PMAs include:
- Conducting self-assessments of privacy programs
- Maintaining documentation as evidence to demonstrate compliance
- Conducting privacy training
Therefore, it is easy to see how an organisation already well on its way to GDPR readiness will be able to use some of those existing measures to also satisfy BCR requirements.
How Nymity Can Help
Nymity’s Attestor™ tool provides a view of the entire organisation, allowing you to see how different departments are compliant with which obligations. The Attestor can accommodate multiple obligations, since it is based on our mapping of 700 laws and codes that are now relevant to privacy compliance. This tool provides an easy way to conduct a gap analysis and determine which areas still need to be addressed.
For more information on Nymity Attestor™, and to hear more about how other organisations such as BMC Software, CapGemini, and Adient are working towards compliance under the GDPR and BCRs, view the recording of our latest webinar by clicking this link: