The ICO recently updated its Binding Corporate Rules (BCR) guidelines, which aim to simplify the UK GDPR approval process.
What are BCRs?
The accepted BCRs are one of the mechanisms to demonstrate adequacy (rather than using a Standard Model Clause or SCC) and allow cross-organisational cross-border transfers of data to controllers or processors in compliance with the UK GDPR under Article 47 of the UK GDPR to do so. ,
What do they contain?
The UK BCR consists of:
- application – On the application form, companies demonstrate their implementation, management and monitoring of the UK BCR, including details of data flow and relevant audits. Controllers and processors have different applications.
- binding device – The binding instrument is generally an agreement between groups of the kind favored by ICOs to ensure individuals can exercise their rights in the UK. This tool should be designed to be reader-friendly.
- reference table – The reference table contains references to sections of the BCR that demonstrate compliance with Article 47.
- BCR Policy – It should contain the vital information required under Article 47 in relation to the data of the individual.
- Other relevant policies and procedures referenced in the BCR – These should demonstrate compliance.
What has changed?
- Accompanying documents (e.g. data protection guidelines, internal data protection guidelines and training) are only requested Once during the approval process.
- Revision of the reference table
- Instead of having separate reference tables for controllers and processors, all applicants have to fill in the reference tables. The processor must also complete Appendix 1 of the reference table.
- Publication of the BCR policy
- The ICO expects companies to publish their BCR policy in full so that individuals can access the critical information they need about their data and transmissions.
For more information, see: