Teal blue header image

ICO announces changes to Binding Corporate Rules applications

The authorisation of Binding Corporate Rules (BCRs) will continue under the General Data Protection Regulation (GDPR), according to the Information Commissioner's Office (ICO).

In its recent blog, the ICO clarified the status of the application and authorisation process for BCRs under the GDPR. The ICO also made it clear that no cancellation of BCR authorisation is expected because of Brexit.

What are BCRs?

Under the GDPR, personal data can be transferred outside the EU, if there is a sufficient level of protection in place at the intended destination to ensure that the protection of the rights and privacy of the individuals involved is not undermined.

Personal data transfers outside the EU may take place where the European Commission has issued an adequacy decision, meaning that the country concerned ensures an adequate level of protection in respect of any personal data transferred to that country (Article 41 of the GDPR). Where there has been no such decision, however, it is down to each organisation to ensure that adequate safeguards are put in place for the protection of personal data transferred outside the EU (Article 42 of the GDPR).

One way to do this is to use BCRs. Adequate safeguards may also be provided by a legal binding agreement between public authorities or public bodies or standard data protection clauses in the form of template transfer clauses adopted by the Commission. More information on the provision of adequate safeguards can be found on the ICO website.

BCRs apply to multinational organisations transferring personal data outside of the European Economic Area (EEA), but within their group of entities and subsidiaries. BCRs constitute internal rules that define an organisation's global policy in relation to international transfers of personal data. Organisations must receive approval for their BCRs from the EU data protection authorities, with one authority (such as the ICO) acting as a leader in BCR authorisations.

Will the BCR authorisation process continue upon Brexit?

The ICO noted that there will be no cancellation of BCR authorisation because of Brexit. The UK regulator will continue to work closely with other European Data Protection Authorities for international transfers to be achieved.

Applications submitted from now on

New applications for BCR authorisation must comply with the requirements of the GDPR in relation to the adequate safeguarding of the personal data transferred outside the EU. This requirement aims to ensure that BCRs align with the GDPR when it comes into force in May 2018.

Applications currently awaiting authorisation by the ICO

Some organisations have already submitted a BCR application to the ICO under the current data protection legislation and are waiting for them to be authorised. The ICO has confirmed that it is currently in the process of reviewing these applications. It also stated that it will continue to process these applications, and where necessary, will be contacting the organisations concerned to ask them to make any amendments necessary to ensure that their BCR applications are aligned to the GDPR.

BCRs already authorised by the ICO

Organisations that have already received authorisation for their BCRs will need to take into account changes to the regulatory environment and ensure that their BCRs (and all their data processing) are updated in accordance with the GDPR requirements by 25 May 2018.

Organisations are advised to inform the ICO of any changes made in accordance with the GDPR requirements in their next annual update communication to the ICO.

Next steps

Updated guidance in relation to BCRs under the GDPR is being produced by the Article 29 Working Party (WP29) and is expected to be published by the end of the year.

WP29 has also recently announced that it is consulting on two adopted working documents, Binding Corporate Rules (Working Document 153) and Processor Binding Corporate Rules (Document 195), setting out tables to reflect the new GDPR, BCR and Processor BCR requirements. The consultation runs until 17 January 2018.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all