On 12 February 2019, the European Data Protection Board (“EDPB”) published an information note on Binding Corporate Rules (“BCRs”) for companies which have the Information Commissioner Office (“ICO”) as ‘BCR Lead Supervisory Authority’.
BCRs are personal data protection policies adhered to by a group of undertakings (i.e. multinational companies) in order to provide appropriate safeguards for transfers of personal data from the EEA, to companies within the group, located outside of the EEA. One data protection authority must be nominated as a lead authority, depending on the location of the EU headquarters of the company or the location within Europe of the part of the company best placed to take responsibility for global data protection compliance.
The procedure is designed to avoid multinational companies having to approach each individual country’s data protection authority separately. Once developed and operational, BCRs can provide a framework for a variety of intra-group transfers to meet an organisation’s requirements.
In its information note, the EDPB stated that, in the absence of an agreement between the EEA and the UK (no-deal Brexit), the ICO will no longer have a role in the BCR community. The EDPB sets out the following guidance for companies with the ICO as its nominated lead supervisory authority when nominating a new lead supervisory authority:
- Groups headquartered in the UK wishing to apply for BCRs: Identify the most appropriate lead supervisory authority in a EU Member State, according to the criteria laid down in 1.2 of WP 263 (Article 29 Data Protection Working Party Document).
- Current applications (Draft stage): Groups must identify a new lead supervisory authority according to the criteria in WP 263. The new lead supervisory authority will take over and re-submit a draft decision for approval to the EDPB.
- Current applications (Review stage): Groups must identify a new lead supervisory authority according to the criteria in WP 263. The new lead supervisory authority will take over the application and formally initiate a new procedure at the time of a no-deal Brexit.
- Authorised BCR holders: Identify a new lead supervisory authority according to the criteria in WP 263.