The Information Commissioner’s Office (ICO) stated on July 25, 2022, that it published new guidance on UK Binding Corporate Rules (BCRs), which overrides all earlier guidance and papers. The ICO specifically stated that it had updated its requirement tables for data controllers and processors, as well as application forms, and released new guidance to give certainty when organizations have used UK BCRs to transmit data.
The guideline underlines that utilizing BCRs to offer necessary safeguards for making restricted transfers was developed under EU law and remains part of UK legislation under Article 47 of the UK General Data Protection Regulation (UK GDPR).
As a result, the guidance recognizes that BCR applicants may wish to seek both EU and UK BCRs. As a result, the ICO has simplified the UK BCR approval process, such that the ICO will only request supporting documents and commitments once during the UK approval process and that the appropriate requirement appears in the most relevant section of the documentation pack. Furthermore, the guidance is organized so that data controllers should consult the guideline for UK BCRs for Controllers (BCR-C), while data processors should consult the guidance for UK BCRs for Processors (BCR-P).
Who is the guidance intended for?
You must read this advice before preparing the UK BCR application pack. This information will also help you with your ongoing obligations after approval.
ICO has modified its BCR clearance procedure in the United Kingdom for both Controllers and Processors. This takes into account the Schrems II CJEU decision, which is still binding on the UK.
The document provided by ICO focuses on UK Controller BCRs (UK BCR-C). However, if you are seeking UK Processor BCRs (UK BCR-P), please refer to the updated advice for UK Processor BCRs.
How should we apply this guidance?
This new guidance is divided into 11 sections and supplements the revised reference table (which all applicants must complete) and the application form for a UK BCR-C.
This guideline is intended to help Controllers prepare the UK BCR pack for approval by clarifying what ICO wants to see in the BCR policy, application form, binding instrument, and any accompanying documentation.
It outlines the UK BCR criteria in Article 47 of the UK GDPR and establishes our expectations when contemplating granting a UK BCR approval.
Short on time? Below are the details of the guidance.