On November 20, 2017, the UK Information Commissioner’s Office (“ICO”) published an article on its blog containing advice on applications for Binding Corporate Rules (“BCRs”) to comply with requirements under the EU General Data Protection Regulation (“GDPR”). BCRs, which are one of the legal mechanisms available to support transfers of personal data outside the EEA, are codified under the GDPR, prompting a number of companies to explore the possibility of applying for BCR authorization. In its article, the ICO stressed that it will continue to accept applications for BCRs in the lead up to GDPR implementation on May 25, 2018, and beyond, and that the UK’s exit from the European Union, currently scheduled for the end of March 2019, will not result in the cancellation of any of the approximately 40 BCR applications currently being considered by the ICO.
In addition, the ICO provided advice for organizations at different stages of the BCR authorization process:
- Companies planning to apply for BCRs: Any company considering making an application for BCR authorization should ensure that their application aligns with the requirements of the GDPR. Any new BCR applications submitted to the ICO will be approved after the GDPR’s entry into force in May 2018.
- Applications currently with the ICO: The ICO will contact any companies whose active BCR applications are found not to be compliant with GDPR requirements and ask them to update their applications accordingly. The ICO has deployed extra staff to improve its BCR approval process in the lead up to the GDPR taking effect.
- Previously approved BCRs: Companies that have previously had BCRs approved by the ICO are advised to check whether their BCRs will remain compliant under the GDPR. The ICO notes that it is a requirement that BCRs take into account changes to the regulatory environment, and suggests that companies with BCRs advise the ICO of any changes in their next annual update.
The ICO also noted that the Article 29 Working Party is updating its existing guidance on BCRs to reflect the GDPR, and that guidance is expected to be published before the end of the year.