In a nutshell, BCRs are internal rules which define the international policy in a multinational group of companies and international organisations regarding personal data cross-border transfers between members of the corporate group. Every entity acting as data controller must be responsible for and be able to demonstrate compliance with the BCRs.
Binding Corporate Rules could be considered strict and approved codes of conduct but not in the broadest sense of approved codes of conduct under the GDPR: they are internal codes of conduct which concern transfers of personal data to third countries in the context of cross-border data transfers to entities or international organisations or multinationals (a group of undertakings, or group of enterprises engaged in a joint economic activity, including members) which are outside the EU.
Binding Corporate Rules aren’t new – they existed under the previous regime of Directive 95/46/EC (Data Protection Directive). However, with the GDPR the attractiveness of having Binding Corporate Rules in place is far higher as for international organisations it makes cross-border data transfers much easier. On top of that, BCRs offer ample benefits and aren’t limited to a group of undertakings. They do require a lot of effort and mean that GDPR compliance is attained, personal data processing principles are respected, data subject rights are ensured, legal grounds for lawful processing are in place, data practices are streamlined and far more. Yet, they also offer, among others, important competitive benefits.
They require a high level of compliance maturity within a company, including policies and procedures, audits and controls, complaint handling, and training that ultimately make BCRs more like a comprehensive compliance program than just a data transfer mechanism. In addition, BCRs involve a regulatory approval process that requires time, resources, and review, as well as the support of a company’s top management and a dedicated Binding Corporate Rules GDPR team.