The ICO is to modify its approach to UK BCRs. The aim is to refresh the guidance to be more "principles-based" and less prescriptive than what we are used to with the EU BCR process.
The rationale for the changes is (substantively) sensible and aims to simplify the content. However, this will mean that a UK application will be different from an EU one: piggybacking the UK on the EU will not work.
There is also lots of talk about encouraging us to talk to the ICO to ensure the new system works in practice. So do not treat this as the final word.
What does this mean for BCR applicants?
- The main "winner" will be the entity seeking UK approval in future (UK only), thereby getting to operate within a simpler UK regime. No doubt there will be teething problems as the new regime settles.
- Current UK BCR applicants: We are told there is no need to re-write in-flight applications, but they can or may be assessed against the new guidance depending on where you are in the UK process. This points to additional overhead.
- Current EU BCR-approved entities will benefit from a different but simpler process for the UK. However, as this is not a direct "read across", UK BCRs will be an extra overhead for an applicant who wants UK as well as EU BCRs.
Key changes coming
- Guidance for controllers.
- Guidance for processors.
- Revised application forms.
- New core referential table with an Annex for BCR-P.
- Revised approach to what constitutes BCRs – the "BCR Policy" is to be the set of standards that gets published, but BCRs include all relevant components.
What is not changing
- No repapering of existing approved BCRs.
- Preference to use IGA over any other type of binding instrument due to IGA providing most certainty. Others will be considered on a case-by-case basis.
Some changes of approach
- The ICO wants to move away from all that "legal detail" you often see in the BCR Policy (the set of standards) and in which (spoiler alert!) data subjects are not generally interested. For example, think about the nuances associated with liability as EDPB would require to be articulated. Instead, you will be required to explain in practical terms how data subjects can access effective and enforceable rights and you should avoid caveats that water down these rights.
- The entity with delegated data protection responsibility should be a UK legal entity (the ICO preferred approach) although it is not clear why choosing a branch would be an issue. Surely a branch will have a better balance sheet than a small UK sub? However, where a branch is the only option, the ICO may accept it if it can accept service of legal proceedings, has sufficient assets and where the parent agrees to step in if the branch defaults.
- Schrems II – the ICO is not expecting TIA's as part of the BCR approval process but it can ask for them separately.
- This will look very different.
- Where the EU has separate Controller and Processor referentials, the ICO will have a single core referential. So the new referential will shrink to seven pages.
- For BCR-P, you also need to complete the Annex to the core referential.
- The ICO will not check A28 terms or service agreements (outside the scope of the BCR approval process) but will expect to see how BCRs interact with service agreements with customers/how BCR requirements flow through the supply chain and binding nature of rights.
- ICO also wants to find a practical solution for exports under BCR-P from onshore Controller to offshore Processor which is a BCR member entity.
- There will be separate forms for BCR-C and BCR-P.
- There will be some new guidance but overall the content will not change dramatically.
- ICO was considering a combined application form but decided not to proceed with this.
Options for a consolidation of BCR documents?
- The ICO says you can have a single BCR Policy for Controller and Processor BCRs. Beware though: this is not the EDPB's view!
- The ICO says it is ok to have a combined IGA for BCR-C and BCR-P.
- Combined policies for BCR-C and BCR-P are also OK.
There is no doubt BCRs are the "gold standard" for data privacy compliance. The UK proposals are practical, which is to be welcomed, but applicants need to keep this under review to assess their impact on them. The general "principles-based" approach is also an indication of the UK approach more generally as regards the UK GDPR reform package.
We will be tracking the UK proposals and publish more as they develop.