UK: ICO publishes updated guidance on UK BCRs
The Information Commissioner's Office ('ICO') announced, on 25 July 2022, that it had published, on the same date, new guidance on UK Binding Corporate Rules ('BCRs'), which supersedes all previous guidance and documents. In particular, the ICO noted that it had updated its requirement tables for data controllers and processors and application forms, and issued new guidance in order to provide certainty where organisations have used UK BCRs to transfer data. More specifically, the guidance confirms that the concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under Article 47 of the UK General Data Protection Regulation ('UK GDPR').
In light of this, the guidance recognises that BCR applicants may wish to seek both EU and UK BCRs, and, as such, the ICO has simplified the UK BCR approval process, whereby the ICO will only request supporting documents and commitments once during the UK approval process, and that the appropriate requirement appears in the most relevant section of the documentation pack. In addition, the guidance is structured in such a way that data controllers should consult the guidance for UK BCRs for Controllers ('BCR-C'), whilst data processors should consult the guidance for UK BCRs for Processors ('BCR-P').