The Information Commissioner’s Office (ICO) is changing its approach to approving UK Binding Corporate Rules (BCRs). New guidance along with revamped documentation will be released later this month, which will include the following:
Those applying for controller and processor BCRs in the UK will have the opportunity to combine their binding instrument so there is only one set of BCRs. These BCRs will apply to the UK only; meaning those with EU BCRs will still need separate BCRs for controllers and processors in the EU (the European Data Protection Board does not consider that controller and processor BCRs can be combined). The ICO confirmed that it does not intend to provide template language for what combined BCRs should look like. The current view is that any prescriptive language could hinder organisations and prevent applicants from being able to tailor their BCRs to the needs of their businesses.
The new guidance for controllers and processors intends to provide applicants with information on what the ICO expects to see in the documentation, together with more transparency on the ICO’s approval process. However, going forward, the aim is to be less prescriptive and more “principles-based”, which mirrors the general approach from the UK in its proposed data protection reforms.
The referential tables for controllers and processors will be reduced into one core table. The referential tables set out the requirements to which UK BCRs should conform and also where in the UK BCRs a specific requirement is addressed. Applicants only need to complete one core referential table (consisting of just four pages) irrespective of whether they are applying for controller BCRs, processor BCRs, or both. However, there is a new ‘Annex’ to the core table which needs to be completed if applying for processor BCRs.
Notwithstanding the above, the ICO has chosen not to combine the BCR application forms, although we can still expect to see some changes in the two current application forms. There will be more emphasis on demonstrating how the UK BCRs are internally and externally binding. Overall, both application forms are shorter (albeit only slightly).
The shift comes following feedback from organisations wanting to have more freedom to tailor their BCRs to their business requirements. The ICO agrees that each organisation should be able to shape its BCRs in a way that meets the business’s needs. That said, the onus is still very much on applicants to show how their BCRs meet the requirements in Article 47 of the UK GDPR.
The ICO highlighted that it wants to be more transparent with applicants on what should be included in the entire suite of BCR documentation. The aim is for this level of transparency to help speed up the approval process. The removal of the current repetition and duplication of documentation is also an attempt to make the approval process more efficient.
The current UK BCR documentation will remain on the ICO’s website for at least 12 months while there is a shift to the new documentation. However, organisations are encouraged to use the new documentation once it is published.
The ICO confirmed that those organisations with UK BCRs already in place do not need to do anything. Those that have recently submitted their application to the ICO based on the current documentation and are waiting for their BCRs to be approved can leave the documentation as it is, but when the ICO responds, any queries are likely to be based on the new guidance. Applicants still in the process of putting their documentation together using the current forms can still use them.
Going forward, there will be a real focus from the ICO on two key priorities:
a) Ensuring data subjects are able to enforce their rights in the UK.
The onus is on applicants to show how data subjects are able to enforce their rights within the UK legal framework. Data subjects should be able to take any action they are entitled to, through the UK courts, and go to the UK supervisory authority, if required. Further, data subjects should not have to go to great efforts to navigate and understand a document.
b) Guaranteeing the UK BCRs are binding internally and externally.
The ICO’s preference remains unchanged in that it still wants there to be an effective, legally binding intragroup agreement, which ensures that the UK BCRs are internally and externally binding. However, applicants are welcome to put forward different alternatives, which the ICO will consider on a case-by-case basis.
Applicants ideally need an entity in the UK with delegated responsibilities under the UK BCRs. However, the ICO appreciates that this is not always appropriate for organisations and so the ICO will consider a branch as an entity on a case-by-case basis. The ultimate priority is whether data subjects can easily enforce their rights. Data subjects should not have to pursue a company overseas to enforce their rights under the UK BCRs, which they are entitled to under the UK GDPR. We understand that the ICO may consider a branch as a legal entity if the following conditions are met: (i) the parent company will step in to resolve any shortcomings on the part of the branch; (ii) the branch is willing to accept service of proceedings; and (iii) the branch has sufficient assets (the ICO will not require proof of this – only a commitment).
Once the new documentation is released, the ICO intends to set up quarterly engagements to enable organisations to give their feedback on the process, together with providing applicants with more information on what is necessary to get UK BCRs approved quickly.