New guidance on the UK Binding Corporate Rules 

On 25 July 2022, the Information Commissioner’s Office (ICO) published guidance and revised application forms and tables to simplify the UK Binding Corporate Rules (UK BCRs) approval process for controllers and processors.  

What are UK BCRs and their purpose? 

UK data protection legislation contains strict rules for transferring data from the UK to countries outside of the European Union.   

The easiest way to transfer data internationally like this is where the recipient country has been given an adequacy decision by the Secretary of State for the Department of Digital, Culture, Media and Sport.  In the absence of this, organisations may still be able to transfer personal data internationally, provided the organisation receiving the personal data has provided adequate safeguards.  One such safeguard could be that UK BCRs are in place and have been approved by the ICO.   

UK BCRs are legally binding and enforceable internal rules or policies which can be used  by UK based controllers or processors to transfer data to  non-UK based controllers or processors within a group of undertakings or group of enterprises engaged in joint economic activity such as franchises, joint ventures or professional partnerships.   These have to be approved by the ICO.   

From 1 January 2021, UK based organisations making a new application to the ICO for UK BCRs must use its UK BCR application forms and reference tables.  

There are also additional steps to take when using UK BCRs, following the ECJ’s ruling in Schrems II, such as the completion of a data transfer impact assessment to ensure there is sufficient protection of personal data, that is, essentially the equivalent level as guaranteed by the EU GDPR.  

Once approved, UK BCRs ensure that an adequate level of protection is applied when personal data is transferred between members of a corporate group or groups of enterprises engaged in joint activity to non-UK countries. 

What are the changes to the corporate rules approval process? 

According to the ICO, UK BCRs comprise of the following documents: 

• Relevant application form (which is the overarching document); 
• Binding instrument; 
• Referential table (plus Annex 1); 
• BCR Policy; 
• Other (relevant) policies and procedures as referenced in the UK BCRs. 

A fundamental change to the approval process is the revision of the referential table which should ensure that there is a simplified process when seeking to ensure that policies and procedures comply with the UK GDPR. 

Another significant change to consider are the contents to the UK BCR document, which the ICO identifies as the “BCR Policy”. The ICO expects organisations to publish this document in full to ensure transparency as it provides individuals with key information that they need about their personal data and transfers. 

The documents have also been updated in line with the ECJ’s ruling in Schrems II, namely to ensure that appropriate safeguards are in place when transferring personal data outside of the EU to a third country, which remains applicable to the UK.  

It’s importance to note that these documents now supersede the previous versions, and any organisations wishing to complete a BCR application under the UK GDPR must now use these forms and tables, referring to the correspondence guidance. 

If you need any advice on this topic or are seeking to incorporate UK BCRs into your organisation, please do not hesitate to contact a member of our data protection team who will be happy to assist.