Creating Binding Corporate Rules
Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice
Introduction
Data protection and security have become increasingly important for all businesses in recent years, with organizations collecting and processing large amounts of personal data. In order to ensure this data is secure and compliant with applicable laws, many are now turning to Binding Corporate Rules (BCRs) policies.
BCRs are corporate policies specifically designed to meet the requirements of different national data protection laws, allowing businesses that handle data from multiple jurisdictions to standardize their compliance measures. This provides a valuable level of assurance for customers concerned about the secure handling of their personal details. Importantly, BCRs also bring numerous practical benefits; streamlining data processing activities across various countries, providing a clear legal framework for reducing the risk of costly litigation and allowing access to certain cross-border transfer rights while ensuring compliance with relevant regulations.
The Ƶ team are dedicated advocates of using BCRs as an essential tool for companies worldwide, helping them demonstrate their commitment to privacy and security while benefiting from increased efficiency when transferring data between jurisdictions. Here at Ƶ we provide free binding corporate rules templates plus our step-by-step guidance online – no account necessary - so that anyone can draft and customize high quality documents today without legal assistance required!
Definitions
Binding Corporate Rules (BCRs): A set of legally binding rules that provide assurance to data protection authorities that an organization is taking measures to protect and safeguard the personal data of individuals, especially those that need to transfer personal data across borders.
Data Protection Officer (DPO): A person responsible for overseeing an organization’s data protection compliance, ensuring that the organization is compliant with all applicable data protection regulations.
Data Protection and Privacy Policy: A policy that ensures an organization is compliant with all applicable data protection regulations. It may include descriptions of the types of data collected, how it is collected, stored, and used, as well as details on how individuals can access and update their data.
Data Sharing Agreement: An agreement between organizations that outlines the responsibilities of each party when transferring data across borders.
Encryption: The process of transforming data so that it is unreadable to anyone without a special key.
Access Controls: Restricting access to data based on certain criteria, such as user identity or authorization level.
Audit Logging: Tracking and recording changes to data and activities related to data processing.
Contents
- Understanding the basics of Binding Corporate Rules (BCRs)
- Identifying which countries your organization operates in
- Understanding the data protection regulations of each country
- Establishing a Data Protection Officer
- Defining the role and responsibilities of the Data Protection Officer
- Selecting and appointing the Data Protection Officer
- Establishing a data protection and privacy policy
- Assessing the risk of transferring data across borders
- Identifying the transfer mechanisms and implementing them
- Reviewing existing data sharing agreements between organizations
- Establishing standard clauses in data sharing agreements
- Considering additional safeguards to prevent unauthorized access
- Crafting an acceptable use policy
- Defining the types of data that can and cannot be used
- Assigning roles and responsibilities
- Creating a data processing agreement
- Defining the roles and responsibilities of each party
- Specifying the types of data being processed
- Setting out the terms and conditions of the agreement
- Documenting the BCRs
- Outlining the purpose of the BCRs
- Describing the roles and responsibilities of each party
- Defining the data protection safeguards that must be in place
- Submitting the BCRs to the data protection authorities
- Preparing all necessary documentation
- Applying for approval from the relevant data protection authority
- Ensuring continuous compliance with the BCRs
- Monitoring changes in data protection laws and regulations
- Monitoring changes in business plans, processes and operations
- Reviewing and updating data protection policies and procedures as needed
Get started
Understanding the basics of Binding Corporate Rules (BCRs)
- Understand the purpose of Binding Corporate Rules (BCRs) and the benefits they provide
- Learn about the history of Binding Corporate Rules (BCRs) and the European Union’s Data Protection Regulation
- Read up on the requirements of Binding Corporate Rules (BCRs) and the legal framework they operate in
- Understand the concept of data transfers, data controllers and data processors
- Research the different types of Binding Corporate Rules (BCRs)
- Review the potential consequences of data protection non-compliance
You will know you can check off this step when you have a sound understanding of Binding Corporate Rules (BCRs), including the purpose, history, requirements and legal framework.
Identifying which countries your organization operates in
- Make a list of all countries in which your organization operates
- Identify which countries have applicable data protection regulations, such as the EU GDPR
- For each country, research the country’s data protection regulations and understand what the data protection requirements are
- Ensure all applicable countries are added to the list
- You can check this off your list when you have identified all applicable countries and understand the data protection regulations in each of those countries.
Understanding the data protection regulations of each country
- Research the data protection regulations for each country your organization operates in
- Make sure you understand what is required of your organization to be compliant with the laws and regulations in each country
- Make notes on any laws or regulations that might be different between countries
- Once you have a general understanding of the data protection regulations of each country, you can move on to the next step.
Establishing a Data Protection Officer
- Determine the need for a Data Protection Officer (DPO). Consider the number of data processing activities, the geography of data processing activities and the level of complexity of data processing activities.
- Appoint a DPO and make sure they have the necessary knowledge and expertise to perform the role.
- Ensure the DPO is independent and given the necessary authority to perform their duties.
- Provide the DPO with the necessary resources and support to carry out their responsibilities.
- Make sure the DPO is available to employees and the public to answer questions regarding data protection.
You’ll know when you can check off this step when you have appointed a DPO who is independent and given the necessary authority and resources to perform their duties.
Defining the role and responsibilities of the Data Protection Officer
- Document the role of the data protection officer and ensure it is in line with the GDPR requirements
- Outline the duties expected from the data protection officer in relation to the Binding Corporate Rules
- Specify the data protection officer’s responsibilities with respect to the data controller, data processor, and any other relevant third parties
- Make sure the data protection officer has the necessary resources to fulfil their duties
- Ensure that the data protection officer is kept up to date with the relevant changes in data privacy legislation
- When the role and responsibilities of the data protection officer have been established, this step can be completed.
Selecting and appointing the Data Protection Officer
- Identify and evaluate qualified candidates for the role of Data Protection Officer
- Interview potential candidates and assess their qualifications
- Select a suitable candidate to fill the role of Data Protection Officer
- Draft an employment agreement for the Data Protection Officer
- Negotiate and finalize the terms of the agreement
- Appoint the Data Protection Officer
- When the Data Protection Officer has been appointed, the step is complete and you can move on to the next step: Establishing a data protection and privacy policy.
Establishing a data protection and privacy policy
- Draft the BCRs policy document.
- Outline the data processing activities and purpose of data processing.
- Define the personal data and categories of data subjects.
- Establish the legal basis for processing.
- Describe the rights of data subjects.
- Define the security measures for data protection.
- Establish the data retention period.
- Describe the data monitoring and audit process.
- Sign and date the policy document.
You will know when you can move on to the next step when you have signed and dated the policy document.
Assessing the risk of transferring data across borders
- Evaluate the risks associated with cross-border data transfers, including legal and regulatory compliance, security and privacy
- Determine where the data will be located, stored and processed
- Identify any personal data that may be transferred and assess the potential privacy risks
- Consider the countries and regions you will be transferring data to and from, and whether they have adequate data protection laws
- Assess the potential security risks associated with the transfer of the data
- Identify any contractual or technical measures that can be put in place to reduce the risks
Once all risks have been identified and assessed, this step can be checked off the list and the next step can be pursued.
Identifying the transfer mechanisms and implementing them
- Determine the most appropriate mechanism for transferring data across borders, such as Binding Corporate Rules (BCRs), EU-U.S. Privacy Shield, Standard Contractual Clauses, or other legal mechanisms
- Establish a process for implementing the chosen data transfer mechanism, including:
- Developing a policy for how data will be transferred
- Establishing procedures for maintaining the mechanism
- Training staff on the data transfer requirements
- Obtain approval from the relevant stakeholders
- Document the data transfer mechanism and all related procedures
When you can check this off your list and move on to the next step:
- When the data transfer mechanism has been identified, implemented and approved by the relevant stakeholders.
Reviewing existing data sharing agreements between organizations
- Review existing agreements between organizations to ensure that they are accurate, up-to-date, and compliant with data protection regulations
- Compare the existing agreements to the requirements for Binding Corporate Rules, such as the requirements for adequate protection, purpose limitation, and data transfers based on consent
- Identify any gaps between the existing agreements and the requirements, and prepare amendments and/or additional agreements if needed
- After reviewing and/or amending existing agreements, confirm that all agreements between organizations meet the requirements for Binding Corporate Rules
- Once all existing agreements meet the requirements, you can move on to the next step of establishing standard clauses in data sharing agreements.
Establishing standard clauses in data sharing agreements
- Draft language for standard clauses for use in data sharing agreements
- Include clauses for data protection, data security, data transfer, data usage, data retention, and data destruction
- Ensure language is compliant with applicable laws and regulations
- Confirm standard clauses are suitable for use in all data sharing agreements
- When standard clauses are finalized and approved, you can check this off your list and move on to the next step.
Considering additional safeguards to prevent unauthorized access
- Review your existing data security policies and procedures to ensure they provide adequate protection against unauthorized access
- Ensure that all individuals who have access to data are properly trained and understand the importance of data security
- Implement additional safeguards such as two-factor authentication and encryption for data in transit and at rest
- Monitor access to data to ensure only authorized individuals have access
- Establish a process for regularly reviewing and updating data security policies and procedures
When all additional safeguards have been implemented and reviewed, this step can be completed and you can move on to crafting an acceptable use policy.
Crafting an acceptable use policy
- Draft an acceptable use policy which outlines the types of activities users may or may not engage in while using the company’s data and systems
- Make sure to include the company’s expectations for data security and privacy, as well as what the consequences are for not following the policy
- Ensure that the policy is available to all employees and is easy to understand
- Make sure to include a clause that requires employees to maintain the confidentiality of the company’s data and systems
- Ensure that the policy is regularly reviewed to ensure that it is up to date and still relevant
When you are finished crafting an acceptable use policy, you should have a document that outlines the types of activities employees can and cannot engage in while using the company’s data and systems. Additionally, it should include the company’s expectations for data security and privacy and the consequences for not following the policy. The policy should be available to all employees and should be easy to understand. Finally, the policy should include a clause that requires employees to maintain the confidentiality of the company’s data and systems. Once you have drafted and reviewed the policy, you can check this off your list and move on to the next step.
Defining the types of data that can and cannot be used
- Analyze the data that will be processed and identify the types of data
- Identify if any special categories of data will be processed, such as sensitive personal data
- Decide which types of data are allowed to be processed and which are not
- Create a data classification scheme to distinguish between different categories of data
- Establish a process to ensure that data is properly classified according to the scheme
- Document the types of data that can and cannot be used in the Binding Corporate Rules
- Review and obtain the necessary consents for the processing of any special categories of data
- When all the types of data have been identified and classified, and the appropriate consents have been obtained, then this step can be checked off the list and the next step can be started.
Assigning roles and responsibilities
- Identify who is responsible for data protection compliance, such as a Data Protection Officer (DPO).
- Set up a dedicated team to handle data protection issues.
- Assign roles and responsibilities to each team member.
- Agree on and document specific data protection roles and responsibilities for each team member, including the DPO.
- Make sure the DPO has the necessary qualifications and authority to perform their role.
Once you have identified who is responsible, assigned roles and responsibilities and documented them, you can move on to the next step in creating Binding Corporate Rules.
Creating a data processing agreement
- Create a document outlining the data processing agreement, which should include the roles and responsibilities of both parties
- Make sure the agreement is consistent with the privacy policies of both parties and meets all data protection requirements
- Have the agreement signed and dated by both parties
- Make sure there is a way for both parties to monitor and enforce the agreement
- Review the agreement periodically to ensure it is up to date
- Once all of the above steps have been completed, the data processing agreement can be checked off the list and the next step can be addressed.
Defining the roles and responsibilities of each party
- Identify the parties involved in the agreement.
- Define the role of each party and their responsibilities.
- Assign responsibility for compliance with the BCRs to a Data Protection Officer (DPO).
- Ensure that the roles and responsibilities of each party are clearly established and documented.
- Specify that each party is responsible for taking appropriate measures to protect the data and for any data losses or breaches that may occur.
- Agree to regular reviews of the roles and responsibilities of each party.
You can check this off your list and move onto the next step once you have identified the parties involved and defined their roles and responsibilities, assigned responsibility for compliance to the DPO, and agreed to regular reviews of the roles and responsibilities of each party.
Specifying the types of data being processed
- Identify what type of data you are processing (e.g. personal data, financial data, etc.).
- Create a comprehensive list of all the data types and categories that will be processed.
- Outline the purpose for which the data will be used.
- Specify the scope of the data processing activities.
- Define the retention periods for each type of data.
You can check this step off your list when you have identified all the data types, categories and purposes for which the data will be used, as well as the scope and retention periods for each type of data.
Setting out the terms and conditions of the agreement
- Draft a written agreement that outlines the terms and conditions of the data processing activities the company will engage in
- Make sure the agreement covers all applicable data protection laws and regulations
- Have the document reviewed and approved by legal counsel
- Once the agreement is finalized and approved, it is ready to be documented as Binding Corporate Rules (BCRs)
Documenting the BCRs
- Create a document that outlines the BCRs in detail, including all necessary clauses and provisions.
- Ensure that the document is properly formatted in compliance with the applicable laws and regulations.
- Have the document reviewed and approved by a qualified legal professional.
- Make sure that all versions of the BCRs are kept up-to-date with any changes in the law or regulations.
- Once the document has been reviewed and approved, it can be signed off and completed.
Outlining the purpose of the BCRs
- Draft a concise and clear statement of the purpose of the BCRs
- Describe the goals of the BCRs, such as protecting data and establishing trust
- Ensure that the purpose of the BCRs is consistent with the applicable data protection laws
- When the statement has been approved, you can check this step off your list and move on to the next step.
Describing the roles and responsibilities of each party
- Define the roles of the Data Controller and Data Processor within the BCRs
- Assign responsibilities to each party, including those related to data security, data access, data handling, and data monitoring
- Identify the individual or team responsible for overseeing the implementation of the BCRs
- Outline how each party will communicate with each other regarding data protection
- Make sure any third-party contractor or subcontractor responsibilities are clearly defined
When you can check this off your list and move on to the next step:
- After you have defined the roles and responsibilities for each party related to the BCRs, you can move on to the next step which is to define the data protection safeguards that must be in place.
Defining the data protection safeguards that must be in place
- Identify and document the data protection requirements that must be implemented in order to comply with applicable data protection laws.
- Ensure that the safeguards are appropriate for the scope of the data processing activities and the type of personal data being processed.
- Develop and implement contractual provisions that meet the requirements of the applicable data protection laws, including but not limited to data subject rights, data retention, data security and data transfer.
- Develop a system for monitoring and auditing compliance with the BCRs.
- When these safeguards have been identified, documented, and implemented, you can move on to the next step of submitting the BCRs to the data protection authorities.
Submitting the BCRs to the data protection authorities
- Contact the local data protection authority and inquire about the specific requirements for submitting the BCRs
- Prepare the documents needed to submit the BCRs, such as a BCR template and any additional documents required by the data protection authority
- Submit the BCRs to the data protection authority and await approval
- Once approval is received, the BCRs are officially implemented and you can move on to the next step of preparing the necessary documentation.
Preparing all necessary documentation
- Draft a comprehensive set of BCRs that is tailored to fit your organization’s internal data flows.
- Ensure that the BCRs comply with the laws of the countries in which your organization operates.
- Create a gap analysis to identify the differences between the BCRs and the current data protection laws of the countries in which your organization operates.
- Draft a privacy impact assessment (PIA) to explain the potential data security risks to the data protection authority.
- Submit any additional documents that may be required by the data protection authority.
- Once you have collected all the necessary documents and information, you can submit them to the relevant data protection authority.
How you’ll know when you can check this off your list and move on to the next step:
You can check this off your list and move on to the next step once you have collected all the necessary documents and information, and submitted them to the relevant data protection authority.
Applying for approval from the relevant data protection authority
- Contact the relevant data protection authority to determine the application process and requirements
- Prepare all necessary documents required by the authority, such as a complete and detailed description of the data processing activities, internal policies and procedures, and any other documents required by the authority
- Submit the application to the authority, along with all necessary documentation
- Monitor the application process and respond to any requests or queries from the authority
- Once the application is approved, the data protection authority will issue an approval letter confirming the BCRs are compliant with applicable regulations
- Once the approval letter has been issued, the process of ensuring continuous compliance with the BCRs can begin
Ensuring continuous compliance with the BCRs
- Establish a system to regularly review and update the BCRs
- Assign personnel responsible for monitoring changes in applicable data protection laws and regulations
- Periodically review the BCRs and update them, if needed
- Ensure that all changes are documented, and that all personnel are aware of the changes
- Ensure that all personnel involved in the BCRs understand their roles and responsibilities in complying with them
- Ensure that any changes to the BCRs are reported to the relevant data protection authorities
- Monitor the effectiveness of the BCRs on a regular basis and ensure that any issues are addressed immediately
You can check off this step when you have established a system for regular review and updates, assigned personnel responsible for monitoring changes, reviewed and updated the BCRs (if necessary), documented changes, and reported changes to the relevant data protection authority.
Monitoring changes in data protection laws and regulations
- Develop a process for monitoring changes in data protection laws and regulations in the countries in which the data subjects are located.
- Assign a team member to monitor changes in data protection laws and regulations as they become available.
- Review the changes in data protection laws and regulations and make any necessary updates to the BCRs.
- Document the changes made to the BCRs and the date of the changes.
- When all changes have been reviewed and the BCRs have been updated, check off this step and move on to the next step.
Monitoring changes in business plans, processes and operations
- Establish a process to regularly review changes in business plans, processes and operations
- Monitor changes to ensure that any new plans, processes or operations do not conflict with existing data protection laws, regulations, and policies
- Track any changes that may affect the data protection of information
- Ensure that any changes to business plans, processes or operations are documented, including the date of the changes, the reason for the changes, and any applicable data protection policies or procedures
- Check the process regularly to ensure that changes have been properly documented
- Verify that all changes have been properly implemented and that the data protection of information is still in compliance with applicable laws and regulations
- When all changes have been properly implemented and documented, you can move on to the next step of reviewing and updating data protection policies and procedures as needed.
Reviewing and updating data protection policies and procedures as needed
- Review current data protection policies and procedures
- Identify areas of improvement or potential risks
- Assess potential changes to policies and procedures
- Create new policies when needed
- Update existing policies as needed
- Test policies and procedures for effectiveness
- Re-evaluate policies and procedures on a regular basis
How you’ll know when you can check this off your list and move on to the next step:
- When all necessary changes are made according to the review process
- When all policies and procedures are tested and certified as effective
- When all policies and procedures are up-to-date and compliant with applicable laws and regulations
FAQ
Q: What are the main differences between the UK, EU, and US versions of Binding Corporate Rules (BCRs)?
Asked by Rebecca on May 21st, 2022.
A: The main differences between the UK, EU, and US versions of Binding Corporate Rules (BCRs) is the jurisdiction in which the rules are applied. Generally speaking, BCRs are designed to protect data transfers between different countries, and each country has their own specific regulations and requirements when it comes to data transfer.
In the UK, BCRs must comply with the Data Protection Act 2018 (DPA 2018). This includes provisions on data protection principles, rights of data subjects, and rules relating to international transfers. In the EU, BCRs must comply with the General Data Protection Regulation (GDPR). This includes provisions on data protection principles, rights of data subjects, and rules relating to international transfers. In the US, BCRs must comply with various state and federal laws that govern data privacy. These laws include provisions on data security, data protection principles, rights of data subjects, and rules relating to international transfers.
Therefore, when creating Binding Corporate Rules for a business that operates in multiple countries, it is important to ensure that the BCRs meet the requirements of each jurisdiction in which they will be applied.
Q: How do I know if I need Binding Corporate Rules for my company?
Asked by Christopher on August 8th 2022.
A: Whether or not your company needs Binding Corporate Rules (BCRs) depends largely on your particular business model and how your business processes or stores personal information. If your business processes or stores personal information of individuals in different countries or territories, then you may need to implement BCRs in order to legally transfer that information across international borders.
For example, if your company operates in both France and Germany, you may need BCRs if you plan to transfer personal information from France to Germany or vice versa. Similarly, if your company operates in multiple countries within the European Union (EU), you may need BCRs in order to legally transfer personal information across EU borders.
It is also important to consider other factors such as your industry sector and specific business activities when determining whether or not you need Binding Corporate Rules for your company. For example, if you operate an online store that sells products or services internationally, then you may need BCRs in order to transfer customer information from one country to another. Similarly, if your company provides cloud-based software services that are used by customers around the world, then you may need BCRs in order to store personal information securely across multiple jurisdictions.
Q: What steps should I take when creating Binding Corporate Rules?
Asked by Sarah on April 15th 2022.
A: When creating Binding Corporate Rules (BCRs), there are several steps that should be taken in order to ensure compliance with applicable laws and regulations. First and foremost, it is important to conduct a thorough review of applicable laws and regulations in all relevant jurisdictions in order to determine what specific requirements must be met when creating BCRs. Next, it is important to identify any potential risks associated with transferring data across international borders and create policies and procedures that address those risks appropriately.
Once any potential risks have been identified and addressed appropriately through policies and procedures, it is time to create the actual binding corporate rules document. This document should outline all relevant policies and procedures related to data transfer between jurisdictions as well as any additional measures that need to be taken in order to ensure compliance with applicable laws and regulations. It is also important to ensure that all relevant stakeholders understand the binding corporate rules document in order for it to be effective.
Finally, once the binding corporate rules document has been created and all stakeholders understand its contents, it is important to regularly review the document in order to ensure that it remains compliant with applicable laws and regulations as well as any changes that may have occurred over time such as new technologies or new regulations being introduced etc.
Q: What are some best practices for implementing Binding Corporate Rules?
Asked by Joshua on October 1st 2022.
A: Implementing Binding Corporate Rules (BCRs) involves following best practices related to data processing activities such as ensuring appropriate security measures are taken when transferring personal data across international borders; ensuring that appropriate technical measures are put into place; ensuring appropriate access controls are put into place; ensuring appropriate measures are put into place for informing individuals whose personal data is being transferred; ensuring appropriate measures are taken for monitoring compliance; ensuring appropriate measures are taken for conducting periodic reviews; ensuring appropriate measures are taken for providing updates on changes; ensuring appropriate safeguards are put into place; ensuring appropriate measures are taken for providing updates on changes; etc. It is also important to regularly review the terms of your BCRs document in order to ensure continued compliance with applicable laws and regulations as well as any changes which may have occurred over time such as new technologies or new regulations being introduced etc.
Q: Are there any specific industry sectors which require Binding Corporate Rules?
Asked by William on December 16th 2022.
A: Yes - there are certain industry sectors which may require Binding Corporate Rules (BCRs) due to their particular nature or activities involving cross-border data transfers such as healthcare organizations which operate internationally; companies providing cloud-based services which operate globally; companies providing online banking services which operate internationally; etc. Additionally, certain sectors such as technology companies or software-as-a-service (SaaS) companies may require additional safeguards due to their particular circumstances or activities involving personal information processing activities such as obtaining customer consent before processing customer data; implementing two-factor authentication systems for customer accounts; encrypting customer data at rest or in transit; etc., Depending on your particular sector or business model, additional steps may be needed in order for you to be compliant with relevant laws and regulations concerning cross-border transfers of personal information such as GDPR or other privacy regimes within different countries where you operate etc
Example dispute
Suing a Company Using Binding Corporate Rules
- A plaintiff could bring a lawsuit against a company for not following their binding corporate rules.
- The binding corporate rules in question should outline the processes and protocols that a company should adhere to when handling personal data, such as customer information.
- The lawsuit could allege that the company has breached the rules and resulted in damages, either financial or non-financial, to the plaintiff.
- To win the case, the plaintiff would need to demonstrate that the company violated the binding corporate rules and that the violation caused the plaintiff to suffer harm, such as loss of money or privacy.
- The court could order the company to pay damages to the plaintiff based on the severity of the violation and the extent of the damages suffered.
- The court could also order the company to take corrective action to ensure that similar violations do not occur in the future.
Templates available (free to use)
Binding Corporate Rules On Personal Data Transfers To Other Companies From Uk To Outside Eea
Binding Corporate Rules On Personal Data Transfers To Same Group Companies From Uk To Outside Eea
Procedure For Handling Complaints Binding Corporate Rules Bcr
Interested in joining our team? Explore career opportunities with us and be a part of the future of Legal AI.