What’s this about?
The UK’s data protection regulator the Information Commissioner’s Office (ICO) recently issued revised guidance concerning the data transfer mechanism “Binding Corporate Rules” (BCRs) along with new application forms and tables for both data controllers and data processors. This article is a brief look at the guidance.
What are BCRs?
Under UK GDPR (and EU GDPR) international data transfers can only be made in certain ways and subject to various conditions. These include country Adequacy Decisions, Standard (Model) Contract Clauses (probably the most relied on mechanism by organisations), and BCRs.
In sum, BCRs enable a group of companies to demonstrate appropriate safeguards when they transfer personal data internationally between the group’s entities.
Article 47 of UK GDPR sets out the conditions for BCRs, which must be approved by the ICO. Once approved, BCRs provide entities of a group with an appropriate transfer mechanism to send personal data outside the UK to a group company located in a country for which there is no UK Adequacy Decision. In addition, they provide the group with a set of internal rules that define the group’s global data protection standards. It should be emphasised that BCRs do not provide a basis for international data transfers made outside of the group.
BCRs are quite detailed, lengthy and complex documents which, in addition to demonstrating an organisation’s general compliance with the principles of UK GDPR, also demonstrate an organisation’s:
- Adherence to the rights of data subjects and a commitment to communicate these rights to data subjects;
- Legal liability, internally and externally, for personal data transfers;
- Appointment of a data protection officer (or other employee responsible for managing the organisation’s ongoing compliance with BCRs across the group as well as the monitoring of data protection training and complaint handling);
- Implementation of complaint procedures;
- Assurance that there are mechanisms in place for verifying the BCRs, which include internal procedures for reporting and recording changes to the BCRs along with mechanisms for notifying a data protection regulator of such changes;
- Assurance that it will provide appropriate data protection training to personnel with regular access to personal data; and,
- Commitment to a data protection strategy across its group.
In the UK there are two types of BCRs:
- UK Controller BCRs (which in ICO terms are called “UK BCR-C”) – these apply to transfers of personal data from a UK-based data controller to other controllers or to data processors established outside the UK within the same group; and,
- UK Processor BCRs (which in ICO terms are called “UK BCR-P”) – these apply where personal data is received from a UK-based data controller (which is not a member of the group) and is processed by group members as processors or sub-processors.
What does the revised guidance say?
The ICO has updated its “Guide to Binding Corporate Rules” consisting of revised guidance, application forms and tables for both data controllers and data processors. The revised guidance aims at providing both more flexibility and clarity on what the ICO needs to see from applicants. Key aspects of the guidance are as follows:
- Structurally it is divided into two parts: one dealing with data controllers (11 sections); and the other dealing with data processors (13 sections);
- The UK BCR approval process has been simplified – the ICO only requests: (a) supporting documents and commitments once during the UK approval process; and, (b) that the appropriate requirement appears in the most relevant section of the documentation pack;
- Data Controllers:
- The data controller part of the guidance takes into account the so-called Schrems European Court ruling (which post-Brexit applies to the UK) that requires data exporters to determine if the mechanism they intend to use for a data transfer to a third country (i.e. here a BCR) provides an adequate level of protection in the circumstances of that transfer, meaning that the nature of both the personal data transfer and the destination country will need to be considered. In UK ICO terms this is called a “Transfer Risk Assessment” (TRA). The ICO will not require applicants to provide TRAs during the BCRs application process but instead will require organisations to make certain assurances. Note though that the ICO may request evidence or copies of TRAs as part of its ongoing monitoring of approved UK BCRs, so it is very important that TRAs are still undertaken;
- The UK Controller BCRs comprise the following: (a) the application form itself (UK BCR-C); (b) the so-called “Referential Table”, which must be completed by all applicants; (c) the so-called “Binding Instrument” (usually an intragroup agreement (IGA)); (d) the BCR Policy – this is the public-facing document that provides individuals with the key information concerning their data and its transfer under the UK Controller BCRs, which must be made accessible to individuals; and, (e) other relevant policies and procedures as referenced in the UK BCRs;
- A fundamental change to the approval process is the revision of the Referential Table. Applicants must understand and demonstrate their understanding of the spirit and intent behind Article 47 of UK GDPR in their policies and procedures and their compliance with Article 47 and UK GDPR more broadly – applicants must set out in the table the documents in which the various Article 47 requirements are met/satisfied;
- Another important change is what must appear in the BCR Policy, which the ICO expects organisations to publish in full. This document provides people with the key UK GDPR Article 47 information they need about their data and its transfers under the UK BCRs and the ICO says that it should focus on the essential elements of the UK Controller BCRs as a whole which are of most importance to people;
- The ICO’s preference is to see an IGA as the Binding Instrument because under UK law this provides legal certainty to people over the rights that exist under the UK BCRs. If an applicant wishes to put forward something other than an IGA, the onus is on the applicant to provide full details when they apply (and supporting evidence, if necessary);
- The issue of liability must be addressed both in the Binding Instrument and in summary form in the BCR Policy. An applicant’s nominated UK legal entity(ies)with delegated responsibility must ensure they are able to meet those liabilities under the UK Controller BCRs. Consequently, during the approval process, the ICO will seek assurances and commitments that the nominated UK entity(ies) either has or can individually call on sufficient assets to remedy any breach of the UK Controller BCRs;
- Relevant supporting policies or procedures should be included, referenced as part of the BCR application. These demonstrate that an organisation has a full compliance programme which sits behind and compliments the UK Controller BCRs, including the organisation’s approach to training, audit or verifications, complaint handling and how it communicate UK Controller BCRs to staff at all levels;
- In essence, policies and procedures demonstrate an organisation’s accountability framework in a transparent manner. Any global policies and procedures must therefore comply with UK GDPR more broadly and specifically within the BCR sphere where an organisation is seeking a UK Controller BCR approval. It is against this spirit and intent that the ICO says it will assess key supporting policies and procedures. As UK Controller BCRs consist of a number of documents the ICO will focus on how the whole suite of BCR documents are made binding;
- Data Processors:
- The data processer part of the guidance takes into account the so-called Schrems European Court ruling, as described earlier above concerning UK Controller BCRs;
- The UK BCRs comprise the following: (a) the Application form itself (UK BCR-P); (b) the so-called “Referential Table”, which must be completed by all applicants (plus Annex 1 for UK BCR-P); (c) the so-called “Binding Instrument” (usually an intragroup agreement (IGA)); (d) the BCR Policy – this is the public-facing document that provides individuals with the key information concerning their data and its transfer under the UK Processor BCRs, which must be made accessible to individuals; and, (e) other relevant policies and procedures as referenced in the UK Processor BCRs;
- A fundamental change to the approval process is the revision of the Referential Table, as described earlier above concerning UK Controller BCRs. In addition to completing the UK BCR referential table, Annex 1 of the table must also be completed for a UK BCR-P application;
- Another important change is what must appear in the BCR Policy, as described earlier above concerning UK Controller BCRs;
- The issue of liability must be addressed both in the Binding Instrument and in summary form in the BCR Policy, as described earlier above concerning UK Controller BCRs;
- In terms of scope, a UK BCR-P is primarily intended to enable and protect intra-group international data transfers between members of the Processor BCR group. The ICO says that it understands that, in many cases, approved BCR-P are being relied on as an international transfer tool by external third party UK Controllers and the ICO is aware that those UK Controllers may be sending data directly to an overseas processor member of a BCR-P group, regardless of which member of that group they are contracting with. The ICO acknowledges and recognises this as a broader, practical use of a UK BCR-P and accepts that an external third party UK Controller may transfer data directly to members of a UK BCR-P located in third countries, without first passing data to the UK-based BCR-P member;
- The ICO reminds data processors of the obligations contained in Article 28 of UK GDPR (i.e. those which form the basis of Data Processing Agreements). The ICO will not examine specific contractual arrangements, but, as part of the UK BCR-P approval process, data processors are expected to commit to those arrangements being in place prior to the processing or transfer of personal data under the UK BCR-Ps. Data processors are also reminded that the use of sub-contractors must be agreed with the relevant data controller and that data processors cannot avoid their duties, obligations and liabilities through the use of sub-contractors;
- The ICO’s preference is to see an IGA as the Binding Instrument, as described earlier above concerning UK Controller BCRs;
- Relevant supporting policies or procedures should be included, referenced as part of the BCR application, as described earlier concerning UK Controller BCRs;
- Simultaneous applications for Data Controller BCRs and Data Processor BCRs:
- Whilst applicants wishing to simultaneously apply for UK BCR-C and UK BCR-P can submit separate application forms and supporting documentation, although separate application forms are still required, applicants may submit: (a) one combined UK BCR Policy for both UK BCR-C and UK BCR-P; (c) one combined IGA for UK BCR-C and UK BCR-P; (d) a combined set of supporting policies and procedures if they cover both the UK BCR-C and UK BCR-P. All applicants are now required to complete the same Referential Table, with a supplementary annex to be completed only by those applying for UK BCR-P. Where combined UK Controller and Processor documentation is submitted, they must clearly delineate the data controller/processor obligations as necessary. The BCR Policy accompanying the application should be contained in one document. A number of documents may be supplied (for example, as annexes) provided that the relationship between them is made clear. Applicants are encouraged to draft succinct BCR Policies with as few annexes as possible. Finally, the IGA/binding mechanism should be a separate document.
Whilst guidance is only guidance (i.e. only a court has the final say on the interpretation of UK GDPR as regards UK BCRs), because a BCR has to be applied for and involves certain procedures the guidance has to be consulted.
Because applying for a BCR involves quite a bit of work, organisations should set aside sufficient resources for this process, including spending time going through and applying the guidance.
The revised application forms and Referential Tables are less prescriptive and generally the revised approach should allow for some flexibility for organisations when drafting materials including the BCR Policy.
We write about privacy/data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The ICO’s guidance (and related BCR documents) can be found here: https://ico.org.uk/for-organisations/guide-to-binding-corporate-rules/
The list of BCRs approved under UK GDPR to date can be found here: https://ico.org.uk/for-organisations/guide-to-binding-corporate-rules/bcr-approvals/bcrs-approved-under-uk-gdpr/.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785