Changes to Binding Corporate Rules in a GDPR world

international transfer

Share This Post

Today the ICO published a new blog post about it’s approach to processing Binding Corporate Rules (BCRs) applications.

BCRs are used to allow intra-group transfer of data where the transfer is outside the EEA. Simply, put they allow a business to arrange the transfer of EU related data to a part of their business that’s outside Europe. The process requires the company to submit the BCRs to a “lead authority” (determined on their HQ location), these are then discussed between all the EU regulators before they can then be used by the organisation.

BCRs are a useful tool to address international transfer of data, remembering that it is unlawful to transfer data outside the EU according to data protection rules unless adequate safeguards (BCRs being one of them) are in place.

Data transfer rules have been part of the UK’s Data Protection Act for the last (nearly) 20 years and will continue with the GDPR and today’s update from the ICO is about addressing the implications of GDPR. The key points being made by the ICO are:

  • BCR authorisations won’t be cancelled because of GDPR coming into force, but businesses relying on them need to make sure their current BCRs are GDPR compliant
  • The ICO will continue to be the UK’s lead authority and will work with other European data protection authorities in this regard
  • Any BCR applications going forward must be GDPR compliant and these will receive approval after GDPR comes into effect on 25th May 2018
  • For applications currently being considered by the ICO, they will be considered in light of the GDPR and the ICO may be in touch with the applicant to discuss updating their application to GDPR standards
  • The ICO are recruiting more people to help with the approval process

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy