GDPR | What are Binding Corporate Rules (BCRs)?

What are Binding Corporate Rules GDPR? Why are they important for GDPR?

Article 47 The GDPR - Binding Corporate Rules (BCRs) are one of the key elements of the new EU General Data Protection Regulation (GDPR).

  • BCRs are a set of binding corporate rules, such as codes-of-conduct, that govern intra-group data practices.  They are intended to cover frequent, large, and complex international data transfers.
  • BCRs describe how a company and its entities (or group of enterprises engaged in a joint economic activity, including their employees) treats and shares personal data, how individuals’ rights are respected, and how liability is managed on a group-wide basis.

Here is one example from eBay with the Luxemburg GDPR DPA as the lead.

Binding Coporate Rules GDPR require a high level of compliance maturity within a company, including an array of policies and procedures, audits and controls, complaint handling, and training that ultimately make BCRs more like a comprehensive compliance program than just a data transfer mechanism. In addition, BCRs involve a regulatory approval process that requires time, resources, and review, as well as the support of a company’s top management and a dedicated Binding Coporate Rules GDPR team.

Once the GDPR takes effect in May 2018, BCRs will be explicitly recognized as a mechanism ‘‘adducing appropriate safeguards’’ to the transfers of personal data outside the EU (Article 42). Importantly, the explicit recognition of BCRs covers both BCRs for controllers and BCRs for processors (Article 4 (17)). 

THE USE OF BCRS HAS A NUMBER OF BENEFITS FOR BOTH COMPANIES AND REGULATORS. FOR EXAMPLE:

  1. Companies are able to harmonize their data management and governance processes by applying uniform rules at each location in a binding manner.  They provide an internal guide for employees with regard to the personal data management.
  2. BCRs help save localization costs where possible, enhance accountability, and build data protection and security into the company’s DNA.  They make data protection integral to the way the company carries out its business.
  3. Once implemented, BCRs offer flexibility in the launch of new products and services, as they help produce compliant results at an early stage.
  4. Prevent the risks resulting from data transfers to third countries.
  5. Avoid the need for a contract for each single transfer.
  6. Communicate externally on the company's data protection policy.

Are BCR's suitable for mid-size companies?

Although BCRs were initially attractive mainly to large multinationals, today they can also be suitable for many medium-sized companies. They can offer a competitive advantage on the market and increase the trust of customers and regulators in the privacy practices of the company.

WHERE CAN I FIND OTHER EXAMPLES OF BCR'S?

Click here to see iapp’s resource center for some great examples of BCR's from companies such as HP, Intel, and Philips.

For access to Binding Corporate Rules templates and to understand the value for your company, sign up for our one-day GDPR workshop.