20 November 2017
The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations. Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.*
The ICO is also one of the largest regulatory offices in Europe, meaning it has capacity to deal with authorisations at scale and at present we are working on around 40 BCR applications at various stages of the process.
BCRs are one of the ways organisations can comply with data protection rules about ensuring adequate safeguards when personal data is sent outside the European Economic Area (EEA).
They apply to multinational organisations transferring personal information outside the EEA but within their group of entities and subsidiaries. Organisations must get approval for their BCRs from the EU data protection authorities, with one authority, such as the ICO, acting as the lead.
BCRs will continue under the General Data Protection Regulation (GDPR), which becomes applicable next May. The ICO will carry on receiving and accepting BCR authorisation applications in the run up to, and beyond, GDPR taking effect. We encourage organisations to make contact with us if they wish to discuss their needs in advance of making an application.
It’s important to note that no BCR authorisation will be cancelled because of Brexit. The ICO will continue to work together with other European data protection authorities for international transfers to be achieved and to ensure that the ICO’s leading expertise in BCR is continually available to the international controller and processor community.
This blog post sets out some key facts those planning to apply for BCRs and those who already have approved BCRs should be aware of as we get closer to the GDPR taking effect. Information about other methods of ensuring adequate safeguards for international transfer, more suitable than BCRs for certain organisations, is on the ICO website.
Applications from now
We are asking any company planning to apply to the ICO for BCRs to ensure their application aligns with the GDPR. This is so that, once they are processed, they will comply with the new rules when they come in from May 2018. This is in line with the approach taken by the other EU data protection authorities.
GDPR-compliant applications submitted from now will receive approval after May 2018, once the new legislation is in effect.
The EU’s Article 29 Working Party is updating the guidance for BCRs under the GDPR. This guidance should be publically available by the end of the year. A link to this guidance will be published on the ICO website when it is available.
Applications currently with the ICO
Many companies have already submitted a BCR application to us under the current legislation and are waiting for it to be approved. We are working through these applications as quickly as we can.
As the date of GDPR taking effect approaches, we will continue to consider these applications and where necessary, will be in touch with the company concerned to ask them to update it so it is aligned with the GDPR.
As the Article 29 Working Party has previously acknowledged, lack of resources within data protection authorities can lead to delays in authorisation. The ICO is making changes to improve its BCR approval service, and the timeliness of application processing in the run up to the GDPR taking effect. We have deployed extra ICO staff to help with the flow of applications as well as bringing in external expertise and offering secondments to suitably experienced candidates to boost our capacity in this area. We are also working on additional resources to assist those making applications.
Previously approved BCRs
Organisations that have previously had BCRs approved by the ICO will need to ensure that they (and all their data processing) are GDPR compliant by 25 May 2018, as there is a requirement that BCRs take into account modifications of the regulatory environment.
Companies can inform us about the changes made to make sure their BCRs comply with GDPR when they next contact us with their annual update. We will be writing about this to all individual approved BCR organisations nearer the time.
Contacting the ICO about BCRs
There is a dedicated email address for organisations that wish to contact the ICO about BCRs. Please email any BCR-related questions to firstname.lastname@example.org.
James Dipple-Johnstone is Deputy Commissioner for Operations at the ICO. He oversees the Enforcement and Assurance departments as well as those for Data Protection Complaints and Reviews and FOI Complaints and Appeals.