It looks like Europe’s Article 29 Working Party on data protection’s New Year’s resolution was to be helpful to data processors, as it has decided to launch Binding Corporate Rules (“BCRs”) for data processors from 1 January 2013. Previously, using BCRs to manage cross-border personal data flows was only an option for data controllers.
As a reminder, BCRs are a set of rules which an entity can voluntarily put in place between members of its corporate group, wherever they are located. The rules need to be blessed by the Information Commissioner, but once that has been achieved they provide some valuable benefits, including:
- they allow personal data to be transferred freely intra-group; and
- the whole corporate group is considered “adequate” under European data protection law meaning each member is able to receive personal data from others - so safeguards do not have to be assessed each time data is going to be transferred by a processor outside of the EEA and other adequate jurisdictions.
Data controllers (any entity which processes personal data relating to, say, its own employees) have been able to benefit from BCRs for some time but now data processors, like multinational outsourcing companies and cloud service providers which process personal data (e.g. payroll, or medical data) as part of their external business operations (i.e. the services they offer to customers), will be able to take advantage. So an outsourcer based in the EEA could collect personal data from a customer located in the EEA, and then transfer that data to a subsidiary in India, under cover of the group BCR’s. Obviously many outsourcers and cloud service providers use this business model now, but data protection compliance is an ongoing task signing up to the approved model clauses with each new customer.
Putting BCR’s in place and obtaining ICO approval is not a particularly quick or easy procedure, but it is a one off – apart from some required notifications. This new development offers an interesting opportunity for organisations which process significant amounts of customer personal data, to potentially cut costs, reduce compliance risks, and perhaps find a new selling point as an ICO-approved cross-border data protection compliant service provider. Obviously someone in marketing might want to come up with a catchier strap line.