The ICO’s Move Towards a More Harmonized Approach for Binding Corporate Rules: The UK BCR Addendum

The UK’s Information Commissioner (ICO) seems to have listened to the feedback on the UK approval process for Binding Corporate Rules (BCRs). Over the summer, the ICO provided for a “self-certification” mechanism, significantly reducing the time required for UK BCRs to be approved (for existing and already approved EU BCRs). And the ICO didn’t stop there, as it is now working on a UK BCR Addendum, the intention of which is to reduce the volume of paperwork required to maintain both the UK and EU BCRs.

These developments are spurred on by the challenges that companies faced with their BCRs after Brexit. Prior to Brexit, companies could maintain one set of BCRs for both the EU and the UK. Post-Brexit, they had to draft and maintain two sets of BCRs. It also became clear that the ICO was going to follow its own path with respect to approvals and approval requirements. And where the intention was to “fast-track” ICO approval for BCRs that had already been approved in the EU, it didn’t quite turn out that way in practice. Until now.

What is the UK BCR Addendum?

The UK BCR Addendum is designed to be appended to approved EU BCRs. Together with the UK BCRs Summary (see below), they will form the “UK BCRs.” In practice, it means companies can operate a single set of BCRs that will cover both the EU and UK, where otherwise these would require two sets of BCRs.

Companies that have both Controller BCRs as well as Processor BCRs will need to complete two separate UK BCR Addenda (for the reason that the EU does not allow for hybrid BCRs).

Which companies can benefit?

Companies that have already approved EU BCRs, which can be EU BCRs approved both before and after GDPR took effect (2018).

Can companies make changes to the UK BCR Addendum?

Yes, companies can make changes to the UK BCR Addendum. The ICO noted in a recent webinar that the UK BCR Addendum can be used either as a baseline (to be supplemented or amended) or as a standard (when used without further changes). Any changes made to the UK BCR Addendum should be highlighted and companies should include an explanation of such changes. Changes will be reviewed by the ICO and can thus add to the time needed for the ICO to review.

Where the Addendum is used “as-is,” the ICO expects to be able to issue an approval promptly.

What is the mechanism to ensure bindingness of the UK BCRs?

The UK BCR Addendum itself is intended to function as the company group’s binding instrument for the UK BCRs. As such, each UK BCRs member will need to sign the Addendum before it can take effect.

What other documents do companies need to submit?

In addition to the UK BCR Addendum, companies will need to submit their EU BCRs documentation materials, which includes the EU application forms, EU BCRs’ binding instrument (e.g., intragroup agreement), and formal approval of the EU BCRs received from the EU regulators. If the Lead UK BCR Member is a UK branch of a non-UK entity, companies will also need to submit a parent company guarantee.

Companies will also need to submit a “UK BCRs Summary” document. The UK BCRs Summary is a short summary document (the ICO does not expect it to be more than two pages) that should contain certain elements, such as contact details, description of transfers, countries to which personal data are transferred, rights of individuals, complaints procedure, and how to bring a claim. The BCRs Summary is intended for individuals (and with respect to BCRs for Processors, for third-party exporters) to take note of how their data is processed, what rights they have under the UK BCRs, and how to enforce these rights. Companies will be required to publish the UK BCRs Summary on their website alongside their EU BCRs.

Will the ICO review the EU BCRs before approving the UK BCR Addendum?

No. The ICO will not review the EU BCRs or request companies to make changes to their EU BCRs. The ICO will review the UK BCRs Summary and the UK BCR Addendum itself.

When will the UK BCR Addendum be available?

The currently published version of the UK BCR Addendum is a draft only, on which the ICO is accepting comments (which can be submitted via mailbox BCRAddendumComments@ico.org.uk). It is possible that further edits will be made to this draft. The ICO expects to publish a final and definitive version of the UK BCR Addendum in November of this year.