On 25 July 2022, the Information Commissioner’s Office – the UK’s independent authority which upholds information rights – published new guidance on UK binding corporate rules (BCRs). Our Commercial and Tech team has deciphered this new guidance to explain what it means for users.
The ‘gold standard’ transfer mechanism
BCRs are used to safeguard data transfers to countries recognised as not having adequate protection, known as a ‘restricted transfer’, and is part of UK law under Article 47 UK GDPR. A restricted transfer within an international organisation can be lawful if both the sender and receiver have signed up to approved BCRs.
BCRs are designed for use by different audiences including:
- multinational corporate groups;
- groups of undertakings; or
- a group of enterprises engaged in a joint economic activity such as:
- joint ventures; or
- professional partnerships.
The ICO approves UK BCRs under Article 58.3(j) and it regards them as the “gold standard’” transfer mechanism. Recognising that BCR applicants may seek both EU and UK BCRs and that Article 47 requirements in these jurisdictions currently overlap, the ICO has tried to simplify the UK BCR approval process.
Guide to the Updated Framework
The key changes in the ICOs new guidance include:
- revised requirements tables;
- simplified policy documents; and
- updated application forms.
The changes aim to make it easier to attain UK BCR approval and to reduce application documentation for both:
- controller UK BCRs (UK BCR-C); and
- processor UK BCRs (UK BCR-P).
UK BCRs, as set out in Article 47 UK GDPR, consist of:
- the relevant application form;
- the binding instrument, usually an intra-group agreement (IGA);
- the referential table (plus, for UK BCR-P applicants, Annex 1 containing Article 28 clauses);
- the BCR Policy (see below); and
- other (relevant) policies and procedures as referenced in the UK BCRs.
The ICO’s guidance assists controllers when preparing the UK BCR pack, clarifying what should be included within:
- the BCR Policy;
- the application form;
- the IGA; and
- any supporting documents.
The guidance explains UK BCR requirements in Article 47 UK GDPR and the ICO’s expectations when considering issuing a UK BCR approval. The revised referential table now focusses on the requirements and the explanatory text mainly appears in the guidance.
Applicants must demonstrate their understanding of the spirit behind Article 47 in their policies and procedures and compliance with Article 47 and the UK GDPR more broadly.
The UK BCR document’s (the “Policy”) contents have also changed. This now provides people with key Article 47 information about their data and its transfers under the UK BCRs. The Policy should be succinct and audience-friendly. Transfer risk assessments (TRAs) must be undertaken for transfers of personal data from the UK to a third country. The ICO expects organisations to review their TRAs regularly. It will request assurances – though not the TRAs themselves – during the approval process and, post-approval, as an ongoing commitment.
Dual applications for UK BCR-C and UK BCR-P require separate application forms but can have one combined Policy and one combined IGA. Supporting policies and procedures can also be combined.
- Flexibility for UK BCR applicants is a priority.
- Transparency and accessibility for data subjects rather than a prescriptive approach.
- An overall quicker approval process.
- Remember: organisations with existing authorised EU BCRs do not need to complete a UK BCR application form or referential table but must still provide the ICO with a “UK version” of their BCRs.
At Hamlins, we help individuals and firms ensure compliance with the latest GDPR regulations and guidance. If you would like a conversation to find out how we might be able to help you, please contact Matthew Pryke.