GDPR: Disadvantages of Model Clauses and Binding Corporate Rules

20. February 2018 | Drooms Global

While both Model Clauses and BCRs can provide an adequate option for small and big companies, issues can arise when situations become more complex. The major drawback is the cumbersome and impractical nature of these processes.

The repercussions of inadequate data privacy and protection safeguards has become a matter governmental organisations can no longer ignore.

According to European Commission figures, only 15% of people feel they have control over the information they provide online. The erosion of trust is particularly concerning. For this reason, GDPR is seen as a welcome move because of its role in unifying the rules and improving enforcement.

What is the GDPR?

The GDPR, a concept that has been in the works for years and finally coming into effect as of May 2018, will override current national data protection laws in the EU.

Whether carried out by an individual or by a company, the legislation will regulate the processing of EU related personal data. The GDPR will not regulate the processing of personal data of deceased persons or those of legal entities. Furthermore it won’t impact data processed by an individual for purely personal reasons. Data processes carried out at home with no connection to a professional or commercial activity will not be subject to investigation.

In terms of scope, the GDPR deals with any information relating to an identified or identifiable living individual. Pieces of information, which could lead to the identification of a particular person, constitute personal data. The law regards personal data that has been de-identified, encrypted or pseudonymised but which can be used for re-identification under its jurisdiction. Information falling under the scope of the law includes things such as a person’s name, location data, income, bank details and IP address. Any personal data that is rendered anonymous will no longer be categorised as or considered personal data. For example, an email address that doesn’t reveal the person’s identity falls out of the scope of the legislation. The GDPR is technology neutral in the sense that it protects personal data regardless of the technology in use for processing that data. The protection requirement applies whether or not personal data is stored in the cloud, on video surveillance tapes or on paper.

The impact of GDPR

The GDPR will have an impact on individuals and businesses alike. For the individual, the regulations provide more say over what and how companies use personal data. This will, in turn, impact how organisations process and protect personal data. It will influence not just companies working in the EU but also across the globe.

A business can face tougher fines for non-compliance and breaches of personal data. Organisations are forced to place more attention on ensuring compliance and keeping data safe. But the new regulations also have the benefit of unifying the rules throughout the EU and this could lead to greater efficiency, innovation and lower operational costs.

How to ensure compliance and adequate data protection?

Under the current set up, the transfer of personal data to a country or territory outside of the EEA has been prohibited unless the country has ensured an adequate level of protection in relation to data processing. These safeguards include Model Clauses and Binding Corporate Rules (BCRs). Both will be recognised as formal means for legitimising cross-border transfers for controllers (covering those who control the data) and processors (covering those who process the data on behalf of others).

What are Model Clauses?

The EU has Model Contractual Clauses (Model Clauses), which are a common, standardised method for transferring personal data to controllers and processors located in non-adequate countries outside of the EEA. These act as a contract between two legal entities and they do not require a licence. Model Clauses are often suited for small businesses, they are readily available and can be added to other main agreements between parties.

What are BCRs?

BCRs are a compulsory code of conduct within a corporate group engaged in the same economic activity. They allow the transfer of personal data to third countries and require a licence. The approval mechanism for BCRs is getting easier with the enforcement of the General Data Protection Regulation.  These contracts are tailor made and therefore, perfect for large corporations that require legally binding agreements.

The disadvantages of Model Clauses and BCRs

While both Model Clauses and BCRs can provide an adequate option for small and big companies, issues can arise when situations become more complex. The major drawback is the cumbersome and impractical nature of these processes.

Not fit for all purposes

Model Clauses, in particular, are often not fit for a situation where a complex processing of personal data is required. An organisation that is a single legal entity might operate through a branch structure and find itself in a difficult position. The larger the company, the harder it will be because a given organisation would require hundreds of clauses – becoming both administratively cumbersome and expensive. On the other hand, smaller companies can find the cost of BCRs unattractive. In addition, BCRs don’t cover transfers to third parties – other means will be required when the organisation is transferring personal data to outside of its corporate group. Many argue that the more complex the set-up, the greater the degree of vulnerability and the more susceptible a company becomes to a breach.

Issues with local laws

Despite creating a unified code of conduct in the EU, both Model Clauses and BCRs can be incompatible with local laws. Certain member states can have laws preventing the use of the concept of unilateral declarations, creating enforcement issues.

Lengthy processing times

Obtaining a BCR can be lengthy and cause delays in the authorisation process. A 2016 report issued by Allen & Overy mentioned the shortest processing time to obtain a permit on their watch was 11 months. However, the situation is changing. The GDPR will allow transfers without specific authorisation from a data protection authority.

A significant upfront investment

In terms of BCRs, the application process is not only lengthy but it also comes with a significant investment. While compliance costs can be high in cases where compliance issues are dealt differently, the initial upfront investment in terms of financing and resourcing can be a major drawback for many organisations.

Finding solutions outside of the common safeguards

The removal of the need to notify or to obtain authorisation from a Data Protectin Authority (DPA) will reduce red tape in the context of international transfers. The streamlined issuing of BCRs is likely to increase and will become an attractive option for many corporations.  However, corporations are not yet fully aware of the changes and how to best proceed with the implementation process. According to McKinsey reporting, only 10% of major European companies have mature cybersecurity risk-management practices in place and 45% know they need to make a significant investment in order to comply with the requirements set out in the General Data Protection Regulation. The good news is that there are European solutions that could help corporations avoid these costly investments and to deal with cybersecurity issues seriously.

As a virtual data room provider, Drooms is GDPR-ready, providing corporations with an easy solution and one that can protect clients from the drawbacks of administrative burden and costly compliance. Drooms has always taken the privacy of its customers extremely seriously and is already compliant with strict German data protection legislation. The security measures in place are able to protect data from unjustified modification, processing or loss. A clear company structure, the lack of subcontractors, the storage of data on European servers to avoid risky transfers are just some of the ways we ensure the security and confidentiality of critical data. There is no need for Model Clauses or BCRs. When using Drooms, businesses can enjoy a geographic advantage when it comes to future compliance checks and avoid costly battles later down the line.