Binding Corporate Rules: We ve Come a Long Way, Baby!

Transcription

1

2 Binding Corporate Rules: We ve Come a Long Way, Baby! Nuala O Connor Kelly GE Chief Privacy Leader nuala.oconnorkelly@ge.com Christian Pardieu GE EU Privacy Leader and CIL christian.pardieu@ge.com Bridget Treacy Hunton & Williams Head UK Privacy Practice btreacy@hunton.com Hunton & Williams LLP

3 Context Dealing with EU data protection regulatory requirements in a fragmented way is expensive, burdensome and can delay projects GE sought to deal more efficiently and strategically with international data transfers involving EU data reflect the growing importance of personal data in a business context data is a valuable corporate asset that requires strategic management GE s reputation is as a leader and innovator in approaches to information governance and data protection compliance eg close cooperation between CIO and CPO first company to achieve a BCR

4 Why Binding Corporate Rules? Widely regarded as the most practical data transfer mechanism for complex, international corporate groups. For GE, the other possibilities (Model Clauses, Safe Harbor, Consent) are cumbersome and provide an incomplete solution Becoming recognised as the means by which companies may demonstrate strong data governance Renewed EU DPA support for BCRs Renewed focus on resolving delays in approval mutual recognition process GE has previous experience of BCRs

5 BCR is a Way to: Demonstrate Accountability Promote consumer and employee trust Satisfy business information needs while minimizing risk, operating compliantly in multiple jurisdictions Apply consistent privacy standards globally Keep pace with emerging and evolving regulation

6 Global Framework for Personal Data Processing as BCR Concept is BCR Plus ie a refined, next generation, BCR Founded on: Existing legal framework for BCRs International Standards for Data Protection adopted in Madrid 2009 by international data protection regulators which explicitly acknowledges concept of binding internal privacy rules Growing EU DPA support for accountability principle as a new approach to data protection regulation GE s previous experience of BCR and what has been learned from that process

7 Enforcement - Key for success Create a strong compliance culture, beginning at the top of the organization 1 Have global privacy standards, with local or business line level implementation plans 2 Handle Compliance monitoring and enforcement at local level with reporting up the chain to regional and enterprise level management 3 Follow local standards, but be prepared to follow higher standards which will always prevail 4 Train, retrain Employees 5 6 Communicate throughout the organization Conduct periodic audits to enforce privacy compliance commitments 7

8 Features of Global Framework for Personal Data Processing Intended to cover all data, all processing, subject to specific exemptions Based explicitly on International Standards for Data Protection, articulates plain English Do s and Don ts of handling personal data Framework structure, incorporating existing HR BCR and other existing policies and standards Binding legal effect Comply with WP29 checklist (WP153)

9 GE s Privacy Governance Structure Policy Compliance Review Board (PCRB) GE General Counsel Regular updates Corporate Global Privacy Council Employment Data Privacy Committee Corp Audit Staff Chief Privacy Leader Policy stewardship Business reviews Corporate Europe Privacy Leader Business Chief Privacy Leaders Data Protection Review Boards Senior HR/IT Leaders Country Country Privacy Leader Country HR Privacy Leader

10 GE: The Spirit & Letter Policies binding on individuals: New employees receive a copy and acknowledge that they are required to comply Employees re-acknowledge every 18 months Failure to comply can lead to termination of employment Policies binding on GE and controlled affiliates: Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE. Policies binding on third parties: GE businesses must require that others representing GE such as consultants, agents, sales representatives, distributors and independent contractors agree to follow applicable GE policies.

11 GE s BCR Diagram Spirit & Letter GE Policies binding on: GE and controlled affiliates Individuals Third Parties BCR Binding Corporate Rules Apply to all GE Group Members and its employees Has legally binding effect on all GE Entities and employees GE s Commitment GE Data Protection Standards Supplement GE s Commitment Have to comply with GE s Commitment provisions GE s Employment Data Protection Standards Supplier Data Protection Standards Customer Data Protection Standards GE Policies, Guidelines & Working Instructions Summarize what to know, what to do, what to look out for Give instructions on how to process data GE Policies, Guidelines & Working Instructions

12 Privacy e-learning

13 What is different? Explicit characterisation of the BCR as a binding code of conduct at the heart of GE s data governance strategy More efficient approval process?

14 Role of Outside Counsel BCRs are based on standardised requirements but work best when founded on the client s internal strategy and objectives Outside counsel s role is that of a strategist, guide and co-leader, as well as legal adviser May act as a sounding board for believers and non-believers and assist in building consensus Contributes experience, expertise and objectivity: Does not reinvent the wheel Is aware of what has worked for others Fosters DPA relationships Anticipates future direction of travel

15 Outside Counsel Tasks Prepare draft BCR, based on company s: Privacy strategy Privacy programme Legal requirements WP 74: Applying Article 26(2) to BCRs WP 108: BCR Checklist WP 153: BCR Table: elements and principles WP 154: BCR Framework Structure WP 155: BCR FAQs Facilitate key decisions (illustrated by GE Commitment) Scope (geographic and material) Binding Lead DPA Assess any compliance gaps and remediate BCR assumes compliance with EU DP law

16 Future of BCRs? Explicit legal recognition of BCRs in proposed EU Regulation, but Prior authorisation still required Still characterised as a transfer tool Viviane Reding, Commissioner for Justice Fundamental Rights and Citizenship, has specifically hailed BCRs: they offer legal certainty and a lot of flexibility compatible with any corporate culture a very smart data protection tool based on one single law, the European law can also be used by processors cloud computing can be covered by them Code provides a consistent and near comprehensive compliance framework in a cost effective way, building on existing substantive programme GE s Binding Global Code embraces this vision

17 Questions?