Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


ICO Announces Changes to Binding Corporate Rules Applications

ICO Announces Changes to Binding Corporate Rules Applications
Friday 1st December 2017

From this week, organisations making applications to the Information Commissioner’s Office (ICO) for Binding Corporate Rules (BCRs) must ensure that they are compliant with the new General Data Protection Regulation (GDPR), coming into force on 25 May 2018.

What are Binding Corporate Rules?

Under the GDPR, personal data can only be transferred out of the EU if there will be a sufficient level of protection in place at the intended destination to protect the rights and privacy of the people involved. If data is transferred in breach of this, organisations could face fines of up to €20million or 4% of annual worldwide turnover, whichever is greater.

For some countries, the European Commission will issue an ‘adequacy decision’ meaning that the data protection laws in that country are already strong enough to protect any personal data transferred. Where there has been no such decision, however, it is down to each organisation to ensure that they put effective safeguards in place to protect the personal data.

One option is to use BCRs. BCRs are rules that apply to all members of a group of companies (or all participants in a joint venture), they determine how personal data is to be processed and protected within that group. Organisations draft their own BCRs, and once they have been approved by the ICO there is no need to require additional safeguards for intra-group transfers of personal data, even if those transfers are to countries outside of the EU. BCRs, once in place, will continue to apply even if the flow of data within the group is altered or there are changes to the group’s corporate structure.

Applications submitted from now on

From this week, the ICO requires that new applications for BCRs must comply with the requirements of the GDPR regarding adequate safeguarding of the data transferred. These applications, though they can be submitted in anticipation of the GDPR entering force, will not be approved until after the 25 May 2018.

Additional guidance on BCR applications is currently being produced by a data protection working party in the EU. It is expected that this guidance will be published by the end of the year. The ICO will be making the guidance available on their website once released.

Applications currently with the ICO and awaiting approval

Many organisations have already submitted applications for BCRs under the current legislation and are waiting to hear back from the ICO. In a press release this week, the ICO confirmed that they will continue to process these applications, and where necessary to ensure compliance with the GDPR they will be contacting organisations directly to request amendments and updates to the applications.

Binding Corporate Rules already approved and in place

Organisations that have BCRs in place that have previously been approved will also need to update their rules. It is a requirement that BCRs are updated to comply with new regulations as they come into force. As such, organisations currently relying on BCRs for cross-border data transfers must ensure that their rules are GDPR-compliant by 25 May 2018.

The ICO should be informed of any changes made, though this can wait for the next annual update communication. The ICO will be writing to all organisations that have approved BCRs nearer the time, to remind them of their obligation to update their rules and advise on the procedure for doing so.

Further information

If you would like to know more about GDPR readiness, cross-border transfers of data or binding corporate rules, please contact a member of our commercial team, or your usual Brabners contact.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.