The company I work for was bought by a US company several years ago. All IT systems were migrated to the parent companies servers (in the US).
We have a GDPR consultant appointed to us by head office, who is telling us we need to implement binding corporate rules because all our data is stored at head office (cross border transfer).
Is there a better way for compliance? Looking at the small list of companies with approved binding corporate rules (BP, Verizon, Ebay, GSK etc) I cannot believe that a. we are in their league, b. there are no other companies in our situation that are not on that list (what do they do).
I know there are some knowledgeable people on here in this area, and I am not trying to get free consultancy. Just confirmation that we are either stuck with BCR, or there is another way.
knowing the reasoning for moving the Data to the US in the first place might help - do they use it, or is it just convenience of less hardware to manage?
Truthfully until we see the first court case no one really knows how it will affect us all, not really.
I know how quickly 'GDPR consultants' can burn through big piles of money, maybe shift the lot to AWS or Azure in the EU?
The reason its in the US is that its our head office, so that's where all the server infrastructure is located. No-body really accesses it there, its just where the Oracle database is hosted. UK staff access the system via our MPLS network.
We have a GDPR consultant appointed to us by head office, who is telling us we need to implement binding corporate rules because all our data is stored at head office (cross border transfer).
Big deal at work (US company, owned by a German company). Because work markets globally and GDPR is being seen as 'best practice' work is making a concerted effort to get on top of it. That and not being on top of it could be incredibly costly for any violations within the EU.
The reason its in the US is that its our head office, so that’s where all the server infrastructure is located. No-body really accesses it there, its just where the Oracle database is hosted. UK staff access the system via our MPLS network.
Might be an idea to shift it back then?
Id love that P-Jay, give me some infrastructure to look after. We have aprox 200 servers, cant see them jumping at the chance of splitting it and moving half to the EU.
I think your (probably massively overpaid) GDPR consultant is right. Although I thought this was more to do with the previous data protection regs from 2015, more than GDPR.
The joys of GDPR. Having data external to the EU the GDPR rules still apply if the data is used in the EU. Do you have consents in place to use this data or will you have them in place before the switch on later this month? You need the data consent systems in place irrespective of where the data is held.
^ Depends if consent is the legal basis for processing the data. 8 working days until gdpr is enforceable, not that we're counting or anything.
BCR will give you a stop gap....I'm assuming your data involves some personal data.
A simple way to think about this ...
People's personal data (data that identifies them) belongs to them.
You can't use it without a good reason.... and if you do use it you need to provide information to them on what you use it for, allow them to get a copy and allow them to correct it.
If you don't or no longer have a good reason then you shouldn't have the data.
If you do have a good reason then you need to protect that data to prevent anyone being able to use it and cause them some sort of harm...
Some countries (e.g. Canada) have legislation in place that protects that data in a very similar way to the EU. Other countries like the US don't... so unless a company sending data there had contractual stuff in place (BCR internally) then that data is considered at risk. Essentially your BCA needs to say they will treat it as if it is in the EU.
It's a bit like flying.... everyone has to follow some minimal legislation ... so long as everyone follows a minimum standard then planes are allowed to land and take off in different countries.
Interesting - no clue what the answer is but I work for a multi-national and we seem to be adopting GDPR standards worldwide.
One section of an internal guide states:
GDPR’s scope is broader than before, as it will now apply not only to entities located in Europe that offer services to or
monitor the behavior of individuals in the EU, but also to entities outside of Europe that do the same. In other words, the mere fact of providing services in Europe would be sufficient to subject an organization to GDPR requirements.
Not sure how much EU citizen personal data we hold outside of Europe but we don't have a BCR in place and I doubt any plans to go through the process.
Why not go to the source of the information from the ICO and do some reading?
https://ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/
Thanks Bikebouy, I have read that, and many other resources over the last 6 months. I am just trying to establish if BCR is our ONLY route before we embark on a very expensive and time consuming (takes around 1 year to get approval) task.
The part we are struggling to understand is basically if BCR applies. Are we one global company?, are we a group of entities? Does this make a difference? Does it only apply if we share data with separate companies within a group etc.
Then ask yourself ..
Do you move/use/transfer data in/out of the EU?
Are your Jurisdictions in/out of the current reciprocal agreements (see list)?
A year for a BCR certificate is the norm, it’s a lengthy process undertaken by short headcounted ICO. (You could have started the BCR a year ago..)
Have you a roadmap to complete remaining BoW ? Is it robust? and would you say you are 70% compliant now?
The ICO will look at cases if breaches occur and will seek to find evidence that you are some way along your milestone plan for completion.
All questions you can ask your Consultant I’m sure.
I don't know but I just received an email from a wealthy Nigerian Prince.
He told me that he doesn’t have any fortune to share with me at the moment but he would appreciate if I could let him know before May 25th if I wish to continue receiving emails.
For a smaller company and transfers to the US I'd be looking at privacy shield first or possibly the standard contractual clauses if that doesn't look viable. BCR takes ages to get approved and doesn't tend to be worth it for smaller groups.
(and you should have had this in place under the DPA - the rules on international transfers have always been there...)
bikebouy
Yes, we transfer data out of the EU.
There is no adequacy agreement with the countries we transfer to.
Don't know what BoW is. We are compliant now bar this transfer and need to figure out this last piece.
You have yet to tell me anything I don't already know, can you help with the OP?
Not in answer to the OP, but GDPR related - I'm receiving loads of "stay contacted" pleas at the mo and it's great to ignore them! Emails are going to decrease by loads in a few weeks. Just imagining the quiet inbox next Black Friday.. 🙂
Trailwagger, you need to have adequate safeguards, BCRs is one way to show unequivovally that you do (although it won’t prove you follow them). There are other approaches as referred to further down the ICO page linked earlier. You are paying a man for consultancy and he is telling you one option only, and quite possibly the least appropriate option. Some of this may be affected by your organisation’s attitude to risk.
You could just do what MP's are doing... http://www.bbc.co.uk/news/technology-44128539
although given most MP's offices seem to be staffed by family members of likely dubious competence (at least when it comes to IT security), maybe just deleting everything is the best way
Just received an email with a very dubious work around for GDPR...
As you have received this email it means that we have your details stored on our database. If you wish for us to delete all the data that we have stored on you, then reply to this email and advise that you wish for all your data to be deleted.
I’m not sure that’s quite how it works is it?
Depends on their legal basis for processing your data. If it's legit interest, fullfilment of contract etc then asking if you want to be deleted is a step further than required (you have a right to request deletion but there's no requirement to actively offer this).
BoW = Book of Work.
All Programmes should have a verified BoW. An assessment of graded implementation requirements driven by either Regulation or Organisational Change.
GDPR is Regulation Change, a BoW is constructed by the Owner of the Programme to endorse both validity and work stream implementation of said requirements. Then placed along a milestone/workstream Plan.
Your Consultant should have one, certainly the business.
You seem very interested in the topic, go ask the owner for view and check/challenge.. No harm in challenging, you've asked the question on here.. It would have been far easier to go ask the Owner of the Programme/Project your end.