International data transfers: ICO update to binding corporate rules

International data transfers: ICO update to binding corporate rules

Transfers of personal data to the UK - EU Commission issues positive draft decision on UK adequacy

The ICO has recently updated its guidelines on Binding Corporate Rules (BCRs), aiming to simplify the approval process within the UK for the UK GDPR.

What are BCRs?

Approved BCRs are one of the mechanisms to demonstrate adequacy (rather than using the Standard Model Clauses or SCCs) and so allow controllers or processors to make intra-organisational cross-border transfers of data in compliance with the UK GDPR as per Article 47 UK GDPR.

What do they comprise of?

UK BCRs comprise of the following:

  • Application form - The application form is where businesses demonstrate their implementation, management and monitoring of the UK BCRs including descriptions of the data flows and relevant audits. Controllers and processors have separate application forms.
  • Binding instrument - The binding instrument is generally an intergroup agreement as preferred by the ICO to ensure individuals can enforce their rights in the UK. This instrument should be drafted in a reader-friendly manner.
  • Referential table - The referential table contains references to sections of the BCRs which demonstrate compliance with Article 47.
  • BCR policy - This must set out key information required by Article 47 in relation to individual’s data.
  • Other relevant policies and procedure referenced in the BCRs - These are to demonstrate compliance.

What has changed?

  • Supporting documents (for example privacy policies, internal data protection policies and training) will only be requested once during the approval process.
  • Revision of the referential table
    • Instead of having separate referential tables for controllers and processors, all applicants will need to fill out the referential table. Processors will also need to complete Annex 1 to the referential table.
  • Publication of the BCR Policy
    • The ICO expects businesses to publish their BCR Policy in full, so individuals can access key information they need about their data and the transfers.

For more information see:

If you need help implementing BCRs in your business or would like to discuss how these changes may affect your use, please do get in touch.

Contact our experts for further advice

Search our site