Tuesday 21 Nov 2017 @ 09:25
Information Commissioner's Office
Printable version

Blog: Changes to Binding Corporate Rules applications to the ICO

The Information Commissioner’s Office is widely recognised as a leader in Binding Corporate Rules (BCR) authorisations.  Around 25 per cent of the BCRs approved across Europe so far have been authorised by the ICO.*

The ICO is also one of the largest regulatory offices in Europe, meaning it has capacity to deal with authorisations at scale and at present we are working on around 40 BCR applications at various stages of the process.

BCRs are one of the ways organisations can comply with data protection rules about ensuring adequate safeguards when personal data is sent outside the European Economic Area (EEA).

They apply to multinational organisations transferring personal information outside the EEA but within their group of entities and subsidiaries. Organisations must get approval for their BCRs from the EU data protection authorities, with one authority, such as the ICO, acting as the lead.

BCRs will continue under the General Data Protection Regulation (GDPR), which becomes applicable next May. The ICO will carry on receiving and accepting BCR authorisation applications in the run up to, and beyond, GDPR taking effect. We encourage organisations to make contact with us if they wish to discuss their needs in advance of making an application.

It’s important to note that no BCR authorisation will be cancelled because of Brexit. The ICO will continue to work together with other European data protection authorities for international transfers to be achieved and to ensure that the ICO’s leading expertise in BCR is continually available to the international controller and processor community.

This blog post sets out some key facts those planning to apply for BCRs and those who already have approved BCRs should be aware of as we get closer to the GDPR taking effect. Information about other methods of ensuring adequate safeguards for international transfer, more suitable than BCRs for certain organisations, is on the ICO website.

Applications from now

We are asking any company planning to apply to the ICO for BCRs to ensure their application aligns with the GDPR. This is so that, once they are processed, they will comply with the new rules when they come in from May 2018. This is in line with the approach taken by the other EU data protection authorities.

GDPR-compliant applications submitted from now will receive approval after May 2018, once the new legislation is in effect.

The EU’s Article 29 Working Party is updating the guidance for BCRs under the GDPR. This guidance should be publically available by the end of the year. A link to this guidance will be published on the ICO website when it is available.

Applications currently with the ICO

Many companies have already submitted a BCR application to us under the current legislation and are waiting for it to be approved. We are working through these applications as quickly as we can.

As the date of GDPR taking effect approaches, we will continue to consider these applications and where necessary, will be in touch with the company concerned to ask them to update it so it is aligned with the GDPR.

As the Article 29 Working Party has previously acknowledged, lack of resources within data protection authorities can lead to delays in authorisation. The ICO is making changes to improve its BCR approval service, and the timeliness of application processing in the run up to the GDPR taking effect. We have deployed extra ICO staff to help with the flow of applications as well as bringing in external expertise and offering secondments to suitably experienced candidates to boost our capacity in this area. We are also working on additional resources to assist those making applications.

Previously approved BCRs

Organisations that have previously had BCRs approved by the ICO will need to ensure that they (and all their data processing) are GDPR compliant by 25 May 2018, as there is a requirement that BCRs take into account modifications of the regulatory environment.

Companies can inform us about the changes made to make sure their BCRs comply with GDPR when they next contact us with their annual update. We will be writing about this to all individual approved BCR organisations nearer the time.

Contacting the ICO about BCRs

There is a dedicated email address for organisations that wish to contact the ICO about BCRs. Please email any BCR-related questions to bcr@ico.org.uk.

*Based on European Commission figures. An updated list of ICO BCR approvals is available here.

Channel website: https://ico.org.uk/

Original article link: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/

Share this article

Latest News from
Information Commissioner's Office

ICO statement on Upper Tribunal ruling

25/04/2024 14:10:00

The Upper Tribunal has ruled on our action to require Experian Limited to change how it handles people’s personal data, dismissing our appeal of the First-tier Tribunal’s ruling of 20 February 2023.

ICO fines two companies a total of £340,000 for making aggressive and unwanted marketing calls

24/04/2024 15:20:00

The Information Commissioner’s Office (ICO) has fined Cardiff-based Outsource Strategies Ltd (OSL) £240,000 and London-based Dr Telemarketing Ltd (DRT)£100,000 after the companies made a total of almost 1.43 million calls to people on the UK’s “do not call” register, the Telephone Preference Service (TPS).

Housing association reprimanded for exposing personal information on online portal

19/04/2024 14:10:00

We have issued a reprimand to Clyde Valley Housing Association in Lanarkshire after personal information was accessible to other residents on an online customer portal. 

ICO publishes guidance to improve transparency in health and social care

16/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is supporting health and social care organisations to ensure they are being transparent with people about how their personal information is being used.

Information Commissioner’s Office seeks views on accuracy of generative AI models

12/04/2024 12:25:00

The Information Commissioner’s Office (ICO) has launched the latest instalment in its consultation series examining how data protection law applies to the development and use of generative AI.

ICO joins global data protection and privacy enforcement programme

04/04/2024 15:20:00

The Information Commissioner’s Office (ICO) has signed onto a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to cooperate in cross-border data protection and privacy enforcement.

ICO sets out priorities to protect children's privacy online

04/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is calling on social media and video-sharing platforms to improve their data protection practices so children are safer when using their services. 

ICO publishes new fining guidance

19/03/2024 09:10:00

The Information Commissioner’s Office has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines.

ICO reprimands Dover Harbour Board and Kent Police over information sharing

18/03/2024 10:20:00

The Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law.