Forthcoming changes to UK BCRs
Locations
The ICO has announced it is going to overhaul the way in which it deals with UK BCR applications. The aim is to make the BCR application documents, in the words of the ICO, more "outcome focussed" and "principle based".
The updated guidance and documents will be published in July, below is a preliminary summary of the headline changes and how this may affect present and future UK BCR applicants and UK BCR holders.Updated BCR documents
The ICO will publish the following documents:
- new BCR controller and processor guidance documents;
- revised BCR application forms; and
- a new core referential table (those applying for both controller and processor BCRs will only have to fill in the core table and a processor annex).
The ICO has sought to clarify some 'big-ticket' uncertainties / challenges and simplify the application process:
- the ICO is seeking to be less prescriptive and 'make life easier' for applicants whilst still ensuring compliance with Article 47 UK GDPR, for instance, it will be possible to combine controller and processor documents;
- the BCR holder will only be required to publish the BCR policy rather than full BCR suite of documents as it is currently required;
- the documents to be submitted to the ICO have been significantly shortened / simplified. For instance, from about 50 pages to 7 for the referential tables.
- re Schrems 2 compliance - transfer impact assessments will be required on top of the BCR but a copy will not have to be provided with the BCR application; the ICO may ask to see a copy of the TIAs at any time;
- re the UK legal entity with delegated responsibilities, whilst UK presence is required – the ICO will now accept this to be a 'branch' of a non-UK entity so long as certain conditions are met;
- ICO wishes to avoid repetition across the BCR documents – the referential document will guide the applicant re where to provide the information;
- ICO is prepared to accept the use of the processor BCRs for transfers between UK controller (customers) directly to group member processors outside of the UK (contracts will have to be considered);
- ICO wishes to see BCRs that meet the key requirement of being understandable by data subjects, so would like to see simplified language and structures across the published BCR documents;
Does this affect you?
If you are a UK BCR holder…
- You do not need to do anything. You do not need to repaper your existing BCRs to take into account the new guidance / documents.
- Who has received feedback from the ICO based on the former BCR documents and referentials: you will be able to answer to that feedback taking into account the new guidance documents.
- Who has not yet received any feedback from the ICO: the ICO will triage your application and move it forward; your application will be reviewed against the new guidance.
- The new approach is good news for you, the UK BCR process should be simpler than the EU process you went through.
- You should still be able to use your EU BCR documents as a 'baseline' for your UK application as the legal requirements under UK law mirror the EU GDPR requirements.
- The new approach is good news for you, the UK BCR process should be simpler than it has been up until now.
The above are preliminary views from information made available by the ICO today, more to come when the documents are issued.
It is clear is that the UK BCRs will undergo a significant overhaul, what remains to be seen is how this will affect real life applications (especially on-going ones). While the simplified application forms and referentials will make life easier, we expect applicants may still want to align their UK BCR policies and appendices to their EU BCR policies an appendices.