June 1, 2020
As Brexit beckons and the use of binding corporate rules (BCRs) grows, is the UK Information Commissioner’s Office (ICO) still the best choice for lead authority? Or has the balance tipped towards Ireland and other European Economic Area countries?
SETTING THE SCENE – BCRs and DPAs
BCRs provide an effective mechanism for overcoming restrictions affecting international data transfers. Organizations no longer need to implement and maintain a matrix of individual contracts relating to cross-border data transfers. But, to apply and gain approval to use BCRs, each organization must decide which European data protection authority (DPA) to choose as their lead authority. For many multinational companies with operations across several European countries, this decision leaves a certain amount of flexibility to make the right choice for their business.
THE STORY SO FAR – CONTEXT AND COMPETITORS
Data transfer was once a largely rules-based process overseen only by compliance and legal specialists. Increasingly data transfer is an organization-wide issue drawing CFOs, CIOs, and CMOs into the conversation. This trend illustrates the importance of taking a holistic, rather than purely legal and compliance approach to data privacy. Differing imperatives and opinions are inevitably influencing the decision-making process over choice of BCR’s DPA.
Under UK Information Commissioner Elizabeth Denham’s leadership, the UK ICO is a globally renowned regulator and until recently a clear first choice as lead DPA for BCR applications, particularly among U.S. multinationals.
Concerns that negotiations on the future partnership between the UK and the European Union will end unsatisfactorily or without clear resolution on key details may complicate this distinction. Uncertainty will continue until Brexit is finalized by the end of the transition in December 2020. As a result, many organizations and their advisers are rethinking their attraction to the ICO.
However, Helen Dixon is the Data Protection Commissioner (DPC) for Ireland and is reportedly fielding a flurry of enquiries from companies wanting to explore the DPC route to BCR approval. Ireland will of course remain an EU member after Brexit, so there is no uncertainty to contend with, and its favorable corporation tax regime makes it a magnet for multinationals. Major corporations are elevating Ireland within their portfolio. As an illustration, Google has established a 500,000 square foot EU headquarters in Dublin.
Beyond technology companies such as Google, data is crucial to financial services companies that are influenced by Brexit’s potential impact on data transfers and the decision to make the ICO their lead DPA. While manufacturing is a less data-driven industry than financial services, we are seeing growing interest in BCRs from this sector, particularly in technology manufacturing, where savvy CPOs are focusing resources.
SPEED AND COST– RESOURCES ARE A SIGNIFICANT FACTOR
BCRs can lead to significant time and cost savings. One approved BCR application covers all data processing activities and does not requires thousands of DPAs and the associated legal fees. However, gaining approval can be a lengthy process. The ICO states that an application review and award process averages 12 months. The preparation time for submittal can be 12 to 24 months.
There have been exceptions, such as industrial manufacturer Corning who appointed the French National Data Protection Commission (CNIL) as their lead DPA and took just six months to achieve approval. This is the fastest successful BCR application in Europe. It is notable, that Corning’s global CPO began investing in preparation two years before the formal BCR application process.
DIFFERENT COUNTRIES, DIFFERENT DRIVERS
Beyond the UK and Ireland, there are five other preferred destinations: Luxembourg, Belgium, the Netherlands, France and Germany.
While there are differences between these countries, they are not as clear as the distinction between Ireland and the UK.
Instead, there are three main drivers for non-UK or Irish destinations. The first is the business model, or how the organization sets up their business, particularly in relation to marketing and digital strategy. For example, an organization might have the UK as the location of its registered office, but most of its marketing activities are in the Netherlands. That means transferring high volumes of EU data within the European Economic Area, and indeed the rest of the world. In this case the company may prefer to strategically consider the main decision-making process, establishment and data processing activities within the business.
The second driver is the data governance model that may be characterized as hybrid, decentralized or centralized. The type of model will influence the BCR strategy. As more fluid, hybrid models prove increasingly popular, we are seeing arrangements where multinationals have data processing activities across European Economic Area or the UK. Such companies will need to strategically and carefully examine how their choice of lead DPA will best facilitate the transfer of data between the UK and Europe, and the rest of the world.
The third driver is around security governance. Some European regulators make cybersecurity a very strong element of BCR application, presenting a significant barrier for those not already well prepared. Germany is notably strict in this regard but not alone in taking a tough line on cybersecurity audit. Here it is important to have a local law firm advise on the right approach and engage with the DPA, plus a consultant engaging with a holistic team drawn from the business’s data, finance, IT and marketing functions.
BCR BUDGETS – IT’S GOOD TO SHARE
Before seeking budget approval, a sound business case needs to be built defining the best BCR model, carrying out a detailed cost-benefit analysis and designing a preparation phase according to current levels of maturity. In terms of external advisers, joint working between a law firm providing legal advice and a consultancy offering data privacy, cybersecurity, and project management services is the route we favor.
Once the project has been scoped, we recommend taking a collective budget approach to BCRs. This draws monies from relevant areas of the business, with contributions from the data privacy, cybersecurity, IT, finance, marketing, and HR budgets. This approach differs from the traditional model, whereby all costs fall to the general counsel or the compliance function.
There are central advantages for this approach. First, while BCRs will save costs over time, the application and approval process represent a significant initial investment; spreading the expense across the business makes the level of effort and resource more feasible. Second, the wider number of participants with budget commitments results in engagement across the business.
The outcome of Brexit negotiations will impact the ICO’s future appeal as a lead DPA for BCRs. Financial and operational considerations may dictate alternative locations and regulators for market participants.