Are You Ready for Binding Corporate Rules (BCR)?

Companies adopting BCR can structure their own compliance approach for the entire enterprise that covers all legal entities across multiple national jurisdictions (including national laws in Asia-Pacific). Before considering BCR, companies need to ask questions in the following categories:

  • Evaluation – Has the organization performed a detailed analysis to determine if BCR is the appropriate path to take? Does the organization want to organize the BCR program by data-type (i.e., employee data versus consumer data)?
  • Code creation – Does the organization have an ability to create a companywide privacy code that can be enforced around the world?
  • Binding rules process – Does the organization have a compliance infrastructure in place today to detect or prevent acts of non-compliance or legal breaches? And are there legal consequences if it breaches its own rules or policy?
  • Selection of the primary DPA – Does the organization have access to one or more DPAs that is willing to serve as a liaison to other DPAs?
  • Legal definitions – Are there legal agreements in place to hold different members of the organization (including affiliates and subsidiaries) to compliance commitments?
  • Regulatory conflicts – Does the organization know (or have an ability to know) the regulatory conflicts that might exist between BCR and national privacy legislation?
  • Compensatory liability – Does the BCR program provide an objective process for determining the organization’s liability and exposure to data subjects in the event of a data security breach?
  • Governance structure – Does the organization have a governance structure that is sufficient to vigorously monitor and enforce compliance? And, is this structure visible to top management?
  • Budget – Are there sufficient resources to implement a BCR program? If so, is there one person or formal group held accountable for spending these resources?
  • Mapping and inventory – Does the organization have a way to identify all individual or household information in its control?
  • Policy and disclosure – Is there a policy in place that can be obtained by all key stakeholders including employees, customers, regulators and others?
  • Permission – Does the organization have a process in place to capture and honor the permission of data subjects (this may be optional depending upon the program)?
  • Assurance – Does the organization have an audit or verification process to evaluate ongoing compliance? And, is this assurance process objective or independent (especially in the eyes of the primary DPA)?
  • Security – Are there sufficient safeguards in place to protect information about individuals and households?
  • Redress – Does the organization have a process in place to ensure all complaints are handled appropriately, including escalation procedures to high management levels?
  • Awareness and training – Do all employees who handle data about people and households have a good understanding of their responsibilities under the BCR program?

Source:
The Conundrum over Compliance with Global Privacy Laws
by Dr. Larry Ponemon
Darwin Magazine, 04/25/2005

Like this content? Why not share it?
Share on FacebookTweet about this on TwitterShare on LinkedInBuffer this pagePin on PinterestShare on Redditshare on TumblrShare on StumbleUpon
There Are No Comments
Click to Add the First »