Compliance & EthicsProfessional

a publication of the society of corporate compliance and ethics www.corporatecompliance.org

August

2015

Meet Amyn ThawerHead of Global Compliance & Integrity

LInkedIn

See page 14

45Your company is being examined:

Prepare well or pay laterCatherine Colyer

37 Pragmatic compliance

in the real world: A practitioner’s view, Part 1

Robert Streeter

19 Let’s get personal: Is your data sensitive?Kristy Grant-Hart

29Compliance programs: When they work and 

when they don’tRichard T. Preiss

This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 55

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

A

ugus

t 201

5

This article is the third of a series of four. The first part was published in our June 2015 issue.

One of the most complex issues multinational companies have to tackle today is coming into

compliance with international data transfer requirements. This is especially true in the face of a changing regulatory landscape. Binding Corporate Rules (BCRs) help companies manage these compliance issues head on. BCRs are internal rules adopted by multinational companies that define the company’s global policy on protecting personal information of employees, customers, vendors, and suppliers. BCRs are unique in that they are entirely scalable and provide a compliance solution to deal with data privacy under current and future data privacy laws in Europe and beyond.

This article will explain (1) who can apply for BCRs; (2) why companies should consider using BCRs; and (3) how BCRs can prepare companies for the upcoming General Data Protection Regulation (Regulation) in the European Union (EU).

Who can apply for BCRs?There are virtually no restrictions on the type or profile of companies that can apply for BCRs. All companies that have affiliates outside of the EU are eligible to apply for BCRs. However, BCRs become truly interesting where the sharing of personal information between affiliates is more than occasional, for instance, where companies have shared service centers in various world locations, or where personal information is stored on regional servers and made available between affiliates of different regions. Furthermore, there are no restrictions in terms of business sectors or industries. BCRs are an option for each industry and may offer an alternative for businesses that do not qualify for the US-EU Safe Harbor Agreement, such as financial institutions. A complete

Reasons to consider Binding Corporate Rules

» Binding Corporate Rules (BCRs) are a transfer solution for multi-national companies located in or outside of the European Union (EU) to export personal information from the EU.

» BCRs allow the streamlining of company privacy policies and create general privacy awareness.

» BCRs help assure regulators, consumers, and business partners that the company is committed to a transparent privacy solution.

» When compared to other available transfer solutions, BCRs prove to be the most effective global strategy.

» BCRs help to prepare companies for the upcoming EU General Data Protection Regulation.

Cervantes

Dhont

Charlot

by Jan Dhont, Alyssa Cervantes, and Delphine Charlot

56 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

A

ugus

t 201

5

list of companies that have successfully applied for BCRs can be viewed on the European Commission’s website1 and include companies such as Accenture, American Express, Atos, BMW, Citigroup, First Data, and Johnson Controls.

Moreover, processor agencies (including cloud service providers) located outside of the EU can apply for BCRs to import or access the personal information of their EU-based clients. Vendors are increasingly investing in BCRs, because they create competitive advantage and trust among clients.

BCRs ultimately constitute a long-term investment in data privacy and require a certain level of maturity in terms of a company’s privacy program. However, they also offer major benefits to companies that have not gone through the entire data privacy compliance process, because BCRs offer a practical baseline to tackle existing compliance gaps.

Why BCRs?BCRs help companies to obtain compliance with relevant privacy and data protection rules through the harmonization of policies and procedures. Rather than having country or region-specific approaches, BCRs help to streamline and control information practices. BCRs do this through providing (1) a comprehensive privacy program; (2) a tailored privacy solution; (3) a commitment to privacy; and (4) an unrivaled transfer solution.

A comprehensive privacy programBCRs offer companies the ability to institute a comprehensive privacy program or to upgrade

their existing program. This streamlines the inter-company privacy process through the institution of a common language for the entire company in its approach to privacy compliance. In turn, this lowers a company’s administrative burden by allowing companies to continue to operate efficiently under a comprehensive privacy program.

A tailored privacy solutionA key quality of BCRs is that they do not offer a one-size-fits-all approach to international data transfers; rather, they offer a tailored privacy solution based on the business’ needs and structure. BCRs can be

limited in terms of the types of information that is processed. For instance, a company may decide to apply for BCRs first for their human resources practices and broaden them to include other information practices, such as customer and vendor data processing. BCRs can also be limited in terms of their territorial scope; if some corporate affiliates are not considered BCR-ready, they can be kept outside the program. Also, their scope can be limited to personal information leaving the EU or applied more globally. They can even be combined with other data transfer solutions, such as the Safe Harbor certification, data transfer contracts, and privacy seals.

A commitment to privacyBCRs act as a reassurance to regulators, consumers, and business partners that the company is committed to a transparent privacy solution. This creation of trust is extremely important especially in the context of international data transfers, which may

BCRs help companies to obtain compliance with relevant privacy and data protection rules through the harmonization of

policies and procedures.

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 57

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

A

ugus

t 201

5

include sensitive personal information. This signals to customers and business partners that their sensitive personal information is safe and that the customer can trust the company in future transactions. Furthermore, trust between the company and national regulators promotes efficiency. Regulators will understand that the company is committed to compliance, which typically produces a smoother interaction process with regulators.

An unrivaled transfer solutionBCRs deliver an accessible, global transfer solution that provides legal certainty; global use; and a practical, long-term solution. This is not always the case with alternative transfer solutions. For example, the Safe Harbor Agreement, although widely used, only applies to data transfers between the EU and the U.S. with certain business sectors completely excluded. Moreover, the Safe Harbor Agreement is currently being re-evaluated by the European Court of Justice and by the European Commission. Therefore, it is important to recognize the benefits of a legally certain instrument, such as BCRs, particularly when the future of the Safe Harbor Agreement is unknown.

Similar to BCRs, model contracts can be used globally. However, experience has

shown that model contracts are much more beneficial in the context of sizeable data transfers. Companies with complex structures will have to put multiple model contracts into place, which can be a costly and burdensome process. The rigidity of model contracts is apparent when compared to the flexibility and scalability of BCRs.

Finally, BCRs are cost effective in terms of the solution they offer. Although the initial cost of creating BCRs can be high (depending on the maturity level of a company’s privacy program), the relative cost is low. This is because BCRs adequately reduce the complexity of multi-national compliance requirements through harmonized processes and procedures, and allow effective and controlled information sharing

A side-by-side comparison of the available data transfer solutions can be found in Table 1.

Looking aheadThe new Regulation is expected to be adopted by the end of this year and will come with

Table 1: A comparison of data transfer solutions Key: # of DS = Number of data subjects

58 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

A

ugus

t 201

5

a new set of data privacy requirements. These new requirements range from stricter accountability obligations, breach notification, and privacy by design requirements, to more severe sanctioning mechanisms. Moreover, the Regulation is expected to impose additional constraints on data processors (or processor agencies such as host and cloud service providers). Specifically, the current wording of the Regulation imposes direct compliance obligations on data processors, which is not the case under current privacy legislation.2

Companies that become “BCR-ready” will meet the majority of the compliance requirements under the new Regulation (or as a minimum, have an adequate governance

structure in place to implement such requirements). This is so because BCRs mirror the regulatory regime of the new Regulation. Therefore, BCRs should not only be viewed as a mechanism to transfer personal information, but also as an effective means to prepare for upcoming legislation in the EU and beyond. ✵ 1. European Commission: List of companies for which the

EU BCR cooperation procedure is closed. Available at http://bit.ly/List-of-companies.

2. See Article 3 of the proposed General Data Protection Regulation 2012/011.The Commission’s draft can be found at: http://bit.ly/ec-europa-justice. The Council’s draft can be found at: http://bit.ly/data-consilium.

Jan Dhont (J.Dhont@koanlorenz.com) is Partner and Head of the Koan Lorenz Privacy and Data Protection Practice, Brussels. Alyssa Cervantes (A.Cervantes@koanlorenz.com) and Delphine Charlot (D.Charlot@koanlorenz.com) are Associates in the Koan Lorenz Privacy and Data Protection Practice, Brussels.

‘Recognizing the people behind

good governance’

Book your seats today!www.corporatesecretary.com/events

Wednesday, November 4, 2015 Gotham Hall, NYC

2015Corporate

Governance Awards

‘Recognizing the people behind

good governance’

Book your seats today!www.corporatesecretary.com/events

Wednesday, November 4, 2015 Gotham Hall, NYC

2015Corporate

Governance Awards