The upcoming EU GDPR introduces a relatively new method of ensuring adequate protection for personal data when it is transferred to countries outside the European Economic Area between different sections of the same corporate group.
These are known as “Binding Corporate Rules” and are seen as the new gold standard of intra-company data protection standards.
These were developed because using constant repeated contractual arrangements is not a cost-effective or practical way of legitimising international transfers for data-reliant organisations operating across the globe.
Essentially, a set of BCRs must be based upon European Privacy standards and include the following:
- the structure and contact details of the corporate group and of each of its members;
- the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected, and the identification of the third country or countries in question;
- their legally binding nature, both internally and externally;
- the application of the general data protection principles, in particular, purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the BCR;
- the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling, the right to lodge a complaint with the competent supervisory authority and before the competent courts, and to obtain redress and, where appropriate, compensation for a breach of the BCR;
- the acceptance by the data controller or processor established on the territory of a member state of liability for any breaches of the BCR by any member concerned not established in the Union;
- how the information on the BCR is provided to the data subjects;
- the tasks of any data protection officer (DPO) or any other person or entity in charge of the monitoring compliance with the BCR;
- the complaint procedures;
- the mechanisms for ensuring the verification of compliance with the BCR;
- the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
- the cooperation mechanism with the supervisory authority to ensure compliance;
- the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the corporate group is subject in a third country which is likely to have a substantial adverse effect on the guarantees provided by the BCR; and
- the appropriate data protection training to personnel having permanent or regular access to personal data.
That might seem like a lot to sort out and keep on top of but if you implement it early on and have a dedicated data protection team which every arm of your multinational corporate group has clear access to, you’ll be in much better shape for complying with the GDPR.