Following Brexit, EU BCR holders wishing to rely on this mechanism to legitimise transfers of personal data from the UK have been required to create bespoke UK BCR documentation (including a new application form and completed referential table as well as a UK-specific set of rules and binding mechanism), which needed to be submitted, scrutinised and approved by the ICO, and resulted in substantial drafting work and long approval timeframes. It also means that holders of EU and UK BCR have had to create and maintain two separate versions of their BCR.

What does the proposed new process involve?

The UK BCR Addendum process will enable UK BCR to be formed by:

• An approved EU BCR;
• The UK BCR Addendum, which will create the formal legal mechanism to extend the scope of the EU BCR to include transfers of personal data from the UK (but without requiring a separate set of UK-specific BCR documentation); and
• A UK BCR summary.

 To enable this, the ICO has created a draft template UK BCR Addendum which can be used in two ways:

1. As a standard form, which should be used unamended and will simply need to be tailored to the BCR holder by completing certain factual information set out in four tables. This will include a requirement for a lead UK-based BCR member to confirm that it has sufficient assets in place to cover any liabilities that may arise under the UK BCR.; or
2. As a template or guidance, which can be amended and submitted to the ICO for review (but is likely to necessitate a longer approval process depending on the extent of changes made).

The UK BCR Addendum has been structured as an intra-group agreement for all BCR members to sign. Alternatively, the section with BCR members' signatures can be amended so that the provisions of the Addendum become binding pursuant to a separate agreement. The document itself has three parts as follows:

• Part 1: Background – This resembles the recitals of an agreement and is very brief.
• Part 2: Tables – This part comprises four separate tables and is the only part of the Addendum that requires content to be added by the applicant, as follows:
  • Table 1: Start Date and BCR Members – This will include the name, contact details, and signature of all entities that are members of the UK BCR.
  • Table 2: EU BCR – This table includes details of the various documents that form the EU BCR, and copies of these documents need to be provided alongside the Addendum.
  • Table 3: UK BCR Summary – This is a key element of the Addendum as it will need to be carefully drafted with the relevant data subjects (or in the case of Processor BCR, third party exporters) as the target audience and provide a summary of how the EU BCR will work in a UK context. The UK BCR Summary will typically include a brief description of the data transfers covered by the UK BCR Addendum and information regarding the relevant data subjects’ rights, how data subjects can complain to BCR members and the ICO, and how to bring a BCR-related claim in the UK courts. 
  • Table 4: Options – This is meant to facilitate the tailoring of some formal aspects of the UK BCR to the corporate group in question.
• Part 3: The UK BCR Addendum – This is the longest part of the document and it contains detailed legal provisions aimed at turning the EU BCR into a set of rules applicable to transfers from the UK. However, the ICO helpfully provides the option of incorporating this specific part by reference.

Once the relevant UK BCR Addendum document, including the completed tables with the summary has been prepared, it will need to be submitted, along with the approved EU BCR documentation, to the ICO for approval.  

How long will the approval process take?

The ICO expects that the UK BCR Addendum will speed up the current application and approval process considerably. The ICO’s review process of UK BCR applications has been taking 18 months or more in many cases, but the ICO expects that this could be reduced to a matter of weeks where companies adopt the new process.  

Applicants who choose to use the UK BCR Addendum as a standard form can expect to receive their approval faster than those who choose to develop their own and use the ICO’s template as guidance.  This is because the ICO will need to conduct a more detailed review of bespoke addenda and may need to ask supplementary questions. In both cases, applicants can expect the ICO to review the UK BCR Summary with a close eye, as they will be keen to ensure that it is especially clear to UK data subjects how the EU BCR will work in a UK context.  

Next steps 

The ICO intends to publish the final UK BCR Addendum and guidance before the end of 2023. Once this happens, UK BCR applicants with approved EU BCR will have the option to pursue this alternative and streamlined route for a UK BCR. This will impact UK BCR applicants in different ways based on what stage of the process they are at:

• Existing UK BCR holders will have the option to switch to the new UK BCR Addendum as part of the annual update process. This would remove the need to have separate EU and UK BCR and may make maintaining the BCR more straightforward going forward.
• Existing applications for UK BCR which are not yet approved can choose to continue with their existing application or resubmit using the UK BCR Addendum approach.  An obvious attraction of the new process is the ability to maintain a single version of EU BCR supplemented by the UK BCR Addendum, rather than separate UK and EU BCR. The ICO has not gone so far as to state that existing applicants who switch to the UK Addendum process will retain their place in the ICO’s review queue, although they expect this should not make a practical difference given the timeframe for approval of the UK BCR Addendum should be much shorter.
• Prospective UK BCR applicants can benefit from the new UK BCR Addendum route as long as they have an approved EU BCR (or plan to have one in place before applying for a UK BCR). These applicants can make a start on preparing the UK BCR Summary and gathering the information required to complete the UK Addendum (including to decide whether to go down the standard form or bespoke route) so that they can be ready to submit an application as soon as the final draft is published. 

New UK BCR applicants or those wishing to switch to the new UK BCR Addendum process from an existing application or approved UK BCR, should consider whether the new process may be beneficial for them and monitor upcoming guidance on this topic. If companies decide to pursue this alternative route, the next key decision will be whether to use the Addendum as a standard form or as a template and to start preparing the UK BCR summary. They'll also need to start lining up all BCR Members to sign the Addendum. This is a very welcome development that shows the ICO’s commitment to pragmatism in the context of a framework that provides the highest standards of data protection at a global scale.

Authored by: Eduardo Ustaran, Katie McMullan and Jabeen Rizvi