Outside a select group of specialists in IT law (and the even more limited and select group of data privacy law specialists), few company advisors or corporate legal departments truly understand how to be in perfect compliance with European Union data privacy regulations.
Yet nearly every company doing business in the EU has to comply.
If you’re reading this, you have probably been frustrated by the complexity of the requirements, provisions such as Safe Harbor, Model Contractual Clauses, whether to appoint a Data Privacy Officer, etc.
Some of that is about to change. Basic compliance could soon be achieved by simply amending your company’s internal policy documents.
How? By adopting Binding Corporate Rules, aka “BCRs”.
BCRs are internal policies that any company controlling data can adopt and apply to its entire group, wherever it is doing business, and be compliant with EU Data Privacy regulations, once and for all.
Until now, BCRs were only an option for ‘controllers’ – but the European Commission’s Article 29 Working Party has adopted a document (WP195) on BCRs for data ‘processors’ (the vast majority of companies are processors, not controllers; if you have to ask, you’re most likely a processor).
Why do you need to know this today?
Because the rules the Working Party published are essentially the same as those already in effect for data controllers – meaning that you can start drafting your BCRs today and ready them for submission. As soon as we are clear that the currently non-binding document is acceptable to EU Member State data authorities, you’re good to go.
Given the pressure from the private sector to simplify data privacy compliance, I think that we’ll soon have a win-win here.
If you need more information or would like help working on your data privacy issues, click the feedback button (on the left).