BCRs: A part of the GDPR Jigsaw

You don’t need to be told the clock is ticking on GDPR compliance. You’ve read countless articles about the requirements, you’ve heard the scare stories about potential fines and you’re probably already preparing for May 2018, when GDPR comes into force.

If so, it’s likely you’re looking into Binding Corporate Rules (BCRs) as a way to support your GDPR compliance initiative, but, what exactly are they; how do they work; and to what extent can you use them for your GDPR compliance efforts? These are key questions to ask.

Firstly, it’s worth noting that having BCRs in place may improve your position in regards to data protection. But they won’t make you GDPR compliant on their own, there is a lot more to do to show due diligence, oversight and accountability. For example you still must prove that you meet the core principals of the GDPR — notably, fair processing, purpose limitations, data minimization, data accuracy, data retention, data security and accountability, and you need to prove it to the regulators! That said, let’s look at BCRs in more detail.

What are BCRs and who are they good for?

The BCR concept was developed by the EU as a stronger mechanism to enable multinational organisations to legally move data between EU and non-EU-based affiliates, with the key objective being to ensure adequate safeguards are in place to maintain and protect both the privacy and fundamental rights and freedoms of EU nationals when transferring their personal data between countries. BCRs are an alternative to having to sign standard contractual clauses each time you need to transfer data to another part of your organisation abroad. That can get cumbersome.

Just so you know, the BCR process is a Process!

• First off, you need to identify your “Primary” Data Protection Authority (DPA), then draft your data protection policies as they relate to you as either a Data Processor or Data Controller, or in some cases you may be both — Ouch!!!
• Once that’s done, you submit them to your primary DPA, who reviews each policy to ensure they meet the Data Protection requirements (there may be a lot of “back and forth” between you and the Primary DPA as you fine tune your policies based on their comments).
• After that hurdle, your Primary DPA will identify another two different DPAs who will both review your policy package(s) and, guess what, if there are any comments from the secondary reviewers you will need to work your way through those comments.
• By now, you’re hoping there’s some “light at the end of the tunnel”. Well, there is! Once your Primary DPA has received all the feedback and nothing requires further comment or modification then your Primary DPA sends your data protection policies to all the remaining DPAs for review and comment. If they hear nothing back then you are “Golden” and your BCR Package will be approved by your Primary DPA. If there are comments, then, you will have to work through them until they are resolved.

Once you’ve been through this process, which can take as long as 24 months, your BCR package is in place. However, having BCRs is a long way off from being GDPR Compliant. They certainly lead you towards good information governance but in themselves having an approved BCR package is nowhere near being GDPR done, they are perhaps the first foot on the ladder. The principal advantage with BCRs is that, once in place, you know that you have a strong legal mechanism supported by a well-defined set of implemented policies to allow for the transferal of data to Non-EU countries.

Do BCRs have a downside?

In terms of disadvantages — well, there are no major disadvantages to BCRs: at Box, we consider them one standard framework that will not be questioned under GDPR, because they are created in step with EU guidelines.

However, the caveat here is they mean nothing if you cannot prove you can enforce them. That’s where the rubber hits the road. It means you must have the processes and infrastructure in place to support the agreement. Also worth noting: you may have BCRs in place, but you need to do your due diligence to ensure the location where your data is being stored or processed is included and protected under the BCRs.

At the end of the day, the process to obtain an approved package can be arduous and time consuming, it took us about 24 months to complete and required constant oversight and management to drive it to closure, in a nutshell. They can take a lot of work to set up and obtain, in fact, few companies have successfully attained approved BCR packages in the Enterprise Cloud Computing space. For us, having approved BCRs in place is absolutely critical because we need to support our customers by having robust mechanisms in place to support their own compliance needs.

As a final thought, a better way than going through it on your own could be for you to do your due diligence with a trusted partner and leverage their Data Protection framework of policies, procedures, controls, infrastructure and processes to secure and protect your data. In regards to GDPR, the good news is you still have options available to you. If you’d like to find out more about what it takes to meet the requirements of the regulation, visit Box’s page on GDPR readiness.