Companies adopting BCR can structure their own compliance approach for the entire enterprise that covers all legal entities across multiple national jurisdictions (including national laws in Asia-Pacific). Before considering BCR, companies need to ask questions in the following categories:
- Evaluation – Has the organization performed a detailed analysis to determine if BCR is the appropriate path to take? Does the organization want to organize the BCR program by data-type (i.e., employee data versus consumer data)?
- Code creation – Does the organization have an ability to create a companywide privacy code that can be enforced around the world?
- Binding rules process – Does the organization have a compliance infrastructure in place today to detect or prevent acts of non-compliance or legal breaches? And are there legal consequences if it breaches its own rules or policy?
- Selection of the primary DPA – Does the organization have access to one or more DPAs that is willing to serve as a liaison to other DPAs?
- Legal definitions – Are there legal agreements in place to hold different members of the organization (including affiliates and subsidiaries) to compliance commitments?
- Regulatory conflicts – Does the organization know (or have an ability to know) the regulatory conflicts that might exist between BCR and national privacy legislation?
- Compensatory liability – Does the BCR program provide an objective process for determining the organization’s liability and exposure to data subjects in the event of a data security breach?
- Governance structure – Does the organization have a governance structure that is sufficient to vigorously monitor and enforce compliance? And, is this structure visible to top management?
- Budget – Are there sufficient resources to implement a BCR program? If so, is there one person or formal group held accountable for spending these resources?
- Mapping and inventory – Does the organization have a way to identify all individual or household information in its control?
- Policy and disclosure – Is there a policy in place that can be obtained by all key stakeholders including employees, customers, regulators and others?
- Permission – Does the organization have a process in place to capture and honor the permission of data subjects (this may be optional depending upon the program)?
- Assurance – Does the organization have an audit or verification process to evaluate ongoing compliance? And, is this assurance process objective or independent (especially in the eyes of the primary DPA)?
- Security – Are there sufficient safeguards in place to protect information about individuals and households?
- Redress – Does the organization have a process in place to ensure all complaints are handled appropriately, including escalation procedures to high management levels?
- Awareness and training – Do all employees who handle data about people and households have a good understanding of their responsibilities under the BCR program?
The Conundrum over Compliance with Global Privacy Laws
by Dr. Larry Ponemon
Darwin Magazine, 04/25/2005