Changes to Binding Corporate Rules in a GDPR world

Today the ICO published a new blog post about it’s approach to processing Binding Corporate Rules (BCRs) applications.

BCRs are used to allow intra-group transfer of data where the transfer is outside the EEA. Simply, put they allow a business to arrange the transfer of EU related data to a part of their business that’s outside Europe. The process requires the company to submit the BCRs to a “lead authority” (determined on their HQ location), these are then discussed between all the EU regulators before they can then be used by the organisation.

BCRs are a useful tool to address international transfer of data, remembering that it is unlawful to transfer data outside the EU according to data protection rules unless adequate safeguards (BCRs being one of them) are in place.

Data transfer rules have been part of the UK’s Data Protection Act for the last (nearly) 20 years and will continue with the GDPR and today’s update from the ICO is about addressing the implications of GDPR. The key points being made by the ICO are:

  • BCR authorisations won’t be cancelled because of GDPR coming into force, but businesses relying on them need to make sure their current BCRs are GDPR compliant
  • The ICO will continue to be the UK’s lead authority and will work with other European data protection authorities in this regard
  • Any BCR applications going forward must be GDPR compliant and these will receive approval after GDPR comes into effect on 25th May 2018
  • For applications currently being considered by the ICO, they will be considered in light of the GDPR and the ICO may be in touch with the applicant to discuss updating their application to GDPR standards
  • The ICO are recruiting more people to help with the approval process