PRIV- 36 – Binding Corporate Rules

What is this control about?

Implementing the control of ‘Binding Corporate Rules’ (BCRs) is crucial for multinational organizations that process personal data across different regions or countries. BCRs are a set of legally binding internal rules that govern the transfer and protection of personal data within a corporate group. They are a valuable mechanism for demonstrating compliance with data protection regulations, especially when data is transferred from regions with strict data protection laws (such as the European Union’s General Data Protection Regulation – GDPR) to jurisdictions with less stringent data protection requirements.

Available tools in the marketplace

Tools:

DataGrail TrustArc

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this Binding Corporate Rules example  . This is best created by your Legal team

Control implementation

Here are some guidelines to implement an effective records of Binding Corporate Rules (BCR) program that is essential for organizations that operate globally and transfer personal data between their entities located in different countries. BCRs are a set of data protection policies and procedures approved by competent data protection authorities to ensure a consistent level of data protection across the organization. Here are the steps to implement BCRs:

Step 1: Conduct a Data Protection Gap Assessment

Begin by conducting a comprehensive data protection gap assessment to identify existing data protection practices, policies, and procedures across all entities within the organization.

Assess the current data flows, data processing activities, and data transfers, both within the organization and to external parties.

Step 2: Develop BCR Policies and Procedures

Based on the findings of the gap assessment, develop a set of data protection policies and procedures that align with the requirements of applicable data protection laws and regulations.

The BCRs should cover various aspects, such as data subject rights, data retention, security measures, data breach notification, and onward data transfers.

Step 3: Obtain Internal Approval and Adoption

Obtain approval from senior management and key stakeholders for the BCRs implementation plan.

Ensure that the BCR policies and procedures are communicated and adopted throughout the organization.

Step 4: Appoint a Data Protection Officer (DPO)

Designate a Data Protection Officer (DPO) responsible for overseeing the implementation and compliance with BCRs.

The DPO will act as a point of contact for data protection queries and coordinate with data protection authorities when necessary.

Step 5: Training and Awareness

Provide training and awareness sessions for employees to ensure they understand their roles and responsibilities regarding data protection and BCR compliance.

Step 6: Monitor and Audit Compliance

Implement a robust monitoring and audit program to regularly assess compliance with the BCRs.

Conduct internal audits to identify any areas of non-compliance and take corrective actions promptly.

Step 7: Data Protection Impact Assessments (DPIAs)

Conduct Data Protection Impact Assessments (DPIAs) for high-risk data processing activities as required by relevant data protection laws.

Address any risks identified in the DPIAs and implement appropriate mitigating measures.

Step 8: Cooperation with Data Protection Authorities

Establish mechanisms to cooperate and communicate with relevant data protection authorities regarding BCRs and data protection matters.

Step 9: Periodic Review and Updates

Periodically review and update the BCRs to ensure they remain effective and aligned with changes in data protection laws and the organization’s data processing activities.

Step 10: Verification and Approval by Data Protection Authorities

Once the BCRs are in place, submit them to the relevant data protection authorities for verification and approval.

Work with the authorities to address any feedback or requirements for approval.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Binding Corporate Rules Document: The primary piece of evidence is the actual Binding Corporate Rules document. This document should outline the organization’s internal data protection policies and procedures, addressing cross-border data transfers and data processing activities. The BCRs should be legally binding and aligned with relevant data protection regulations.
• Approval from Data Protection Authorities: Auditors will look for evidence of approval from the relevant data protection authorities in the jurisdictions where the organization operates. This could include correspondence or official documents confirming that the BCRs have been approved and authorized.

Evidence example

For the suggested action, an example is provided below:

• Binding Corporate Rules Document

Leverage this Binding Corporate Rules example  . This is best created by your Legal team

• Approval from Data Protection Authorities

This would be an approval record for the BCR