Morrison Foerster is an international law firm with lawyers practicing throughout the United States, Asia, and Europe. Click to discover more.

mofo_share_image.jpg

Morrison Foerster

common-default.jpeg

Terms / Notices

Cookies

Privacy Policy

Reporting Hotline

Attorney Advertising

Alumni

  Linkedin

MoFo LinkedIN

  Facebook

MoFo Facebook

YouTube

MoFo Youtube

Morrison Foerster - Footer

A MoFo Privacy Minute Q&A: UK BCRs; Is the ICO Making Good on Its Promise?

You have not solved the recaptcha challenge yet or session expired, try again.

Email Disclaimer

Disclaimer

Unsolicited e-mails and information sent to Morrison Foerster will not be considered confidential, may be disclosed to others pursuant to our <a href="https://www.mofo.com/about/privacy-policy.html">Privacy Policy</a>, may not receive a response, and do not create an attorney-client relationship with Morrison Foerster. If you are not already a client of Morrison Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

Feedback

mofo-logo-2022.svg

People

Capabilities

Resources

About

Culture

Offices

Careers

Stay Connected

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

We are Morrison Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger.Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

About Morrison Foerster

people-default-header-desktop.jpg

people-default-header-mobile.jpg

Default Meta Data

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.Question: The UK Information Commissioner’s Office (ICO) is taking a long time to approve our UK Binding Corporate Rules (UK BCRs) for cross-border data transfers under the UK GDPR, even though our company has approved EU Binding Corporate Rules (EU BCRs).Will the ICO develop a more efficient way to approve these types of UK BCRs?Answer:Yes. The ICO has recently created a self-certification system for UK BCR applicants who had their EU BCRs approved prior to the GDPR entering into force. Companies that self-certify their compliance with the UK BCR requirements will receive certification promptly. The ICO is also preparing a template UK Addendum for holders of an approved EU BCR (UK BCR Addendum), which will allow for the UK BCRs to be appended to the EU BCRs, rather than these having to be stand alone. The ICO has not provided details on what the UK Addendum will look like yet but has indicated that it intends to publish an amendable template UK BCR Addendum as soon as this autumn of this year.Following Brexit, the ICO developed its own approval regime for UK BCRs, requiring companies to create standalone UK BCRs and file them with the ICO. Companies whose EU BCRs were authorized by the ICO before the GDPR entered into force on May 25, 2018 were automatically eligible for UK BCRs after Brexit. However, companies who had EU BCRs approved by a lead supervisory authority other than the ICO needed to proactively create standalone UK BCRs and seek the ICO’s approval (see our <a href="https://www.mofo.com/resources/insights/201216-bcrs-after-brexit">Client Alert</a>).In July 2022, the ICO issued new guidance and approval requirements for UK BCRs in an effort to make them less prescriptive and principles-based; however, this has required that companies with existing EU BCR approval prepare a separate set of UK BCRs tailored for the UK. While the ICO intended to fast-track applications from entities with approved EU BCRs, in practice, the process has taken many companies a long time and approvals have been slow (see our <a href="https://globaldatareview.com/article/navigating-binding-corporate-rules-updated-requirements-in-the-eu-and-uk" target="_blank" style="direction: ltr;text-align: left;">Article</a>).In a change of approach, the ICO is now providing companies with approved EU BCRs and active UK BCR applications the option of submitting their amended UK BCR documents to the ICO and self-certifying their compliance with the UK BCR requirements. The ICO has stated that self-certified companies will receive UK BCR certification promptly but that the ICO will aim to review or audit any self-certified UK BCRs within three years of approval.Companies still have the option of asking the ICO to continue their review of their UK BCRs and provide approval, but the ICO notes that it may take up to 18 months for approval (assuming prompt replies to feedback) and that this option would be preferable for applications that are at an advanced stage.The ICO has also indicated that companies could switch to the UK BCR Addendum once it is available, even if it has decided to proceed with one of the two other options mentioned above.The change in course is welcomed, as it will allow certain companies to indeed “fast-track” their UK BCRs where they are confident they meet the UK BCR requirements.

Sign Up

<div class="videoWrapper"><iframe title="Meet Alex van der Wolk, Privacy and Data Security Partner" src="https://www.youtube-nocookie.com/embed/DP4avINgkB8?rel=0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen="1" class="sticky-video" title="iframe"></iframe></div>Alex van der Wolk, co-chair of Morrison Foerster’s preeminent Global Privacy & Data Security practice and managing partner of the firm’s Brussels office, employs his nearly 20 years of experience to advise global companies on their most complex data strategies and compliance programs governing all aspects of information management. Alex’s clients benefit from his practical approach and global perspective, saying: “he quickly gets to the heart of the issue and provides solid, pragmatic advice based on the experience he has gained,” “in addition to having very strong legal knowledge, he has a commercial understanding and provides great insight in global matters,” and  “Alex is a true privacy expert with the ability to offer practical guidance on complex problems” (Chambers EU).Alex helps clients develop privacy and data strategies at the forefront of their digital and data-driven endeavors, especially those involving new technologies, such as artificial intelligence and the metaverse. He has particular experience assisting clients with structuring their approach to data in specialized areas, such as health-tech, Agtech, and Adtech. Alex is an experienced litigator, representing clients in privacy litigation in Europe, including successfully representing clients in the first class action cases in the Netherlands and the UK. Additionally, Alex is often called upon to head crisis management teams for clients facing investigations by data protection authorities or responding to cybersecurity incidents. He counsels clients on their incident and cyber preparedness and has done significant work advising clients on EU cyber and data regulatory frameworks, such as NIS2, DORA, the Cyber Resilience Act, and the EU Data Act.Notably, Alex was one of the first practitioners in Europe to help companies set up Binding Corporate Rules (BCRs), and since that time has used this deep knowledge to develop a longstanding and unparalleled track record in obtaining regulatory approval for BCRs, both in the EU and in the UK.Alex is a frequent speaker at high-profile international conferences, including IAPP and South by Southwest (SXSW), and is a guest lecturer at the Tilburg Institute for Law, Technology, and Society. He is a Dutch-qualified lawyer and a member of the Amsterdam and Brussels Bars. He speaks fluent English and Dutch.

Alex van der Wolk

Managing Partner, Brussels

Dan Alam is a member of Morrison Foerster’s Global Privacy + Data Security and Employment + Labor Groups, based in London.A dynamic lawyer and pragmatic problem solver, Dan supports clients on their contentious, advisory and transaction-related data protection and employment issues on a UK, pan-European and global level. He is described by Legal 500 UK as advising on the “intersection of employment and data protection law”.He regularly works on multijurisdictional projects, and advises clients in a variety of sectors, such as those operating in the technology, media, insurance, pharmaceutical, hospitality, retail, shipping and logistics industries.Dan has a wide breadth of experience advising on a range of complex matters, such as supporting clients with deploying artificial intelligence (AI) systems, responding to data security incidents and creating comprehensive whistleblowing compliance programs. Dan also regularly assists clients with internal investigations and their dealings with data protection regulators.Dan is a founding member and a main contributor to MoFo’s <a href="/gdpr-european-privacy/whistleblowing" target="_self">Whistleblowing Resource Center</a>, which is relied upon by many organizations to support their compliance efforts, and is also leveraged by Thomson Reuters Practical Law to provide <a href="https://uk.practicallaw.thomsonreuters.com/w-034-1767?transitionType=Default&contextData=(sc.Default)&firstPage=true" target="_blank">updates</a> to its subscribers. Dan has been closely monitoring the implementation of the European Union (EU) Whistleblowing Directive since its inception. He has presented on and advised clients on the implementation of the Whistleblowing Directive across the EU, and regularly provides practical advice to clients on the new requirements and how to incorporate them into their global whistleblowing and investigations processes. Examples of Dan’s other experience include:<ul><li>Advising technology companies and a global logistics and delivery company on the launch of new products, including those involving AI.</li><li>Providing support to clients on how to comply with cross-border data transfer and data localization restrictions.</li><li>Helping to respond to regulatory requests from the UK Information Commissioner's Office (ICO) and other data protection regulators, including in relation to direct marketing, the collection and use of children’s data and the ICO’s Children’s Code and data security incidents.</li><li>Advising on age assurance mechanisms and obligations under the UK Online Safety Act.</li><li>Defending clients against claims for compensation in respect of alleged breaches of privacy and data protection law.</li><li>Negotiating data processing agreements on behalf of clients acting as controllers and/or processors.</li><li>Providing specialist data protection and employment support on various public and private transactions, with particular experience advising on the acquisition of technology and AI companies.</li><li>Guiding employers on their employee monitoring practices and the collection of diversity and inclusion data.</li><li>Representing the administrators of a technology company in respect of an asset sale of its business, advising on collective redundancy and Transfer of Undertakings (TUPE) issues.</li><li>Participating in industry working groups to respond to government consultations on employee data protection issues.</li></ul>Before joining Morrison Foerster, Dan spent two months working at the Irish Data Protection Commission.Dan actively contributes to the firm’s pro bono initiatives by working for a variety of charities and NGOs. In addition to assisting organisations on data protection and employment matters, he also advises on social security and statelessness issues. Dan was part of the collaboration between Asylum Aid and various law firms that was recognized with the “Excellence in Pro Bono” Award by the Law Society of England and Wales in 2021 for work addressing the issue of statelessness in the United Kingdom. Dan is also co-chair of the Morrison Foerster London ethnic minority network – MoFo Together.Dan is qualified as a solicitor in England and Wales.