Binding Corporate Rules, the Accenture experience

Abstract

As a result of the increased awareness of the need to have effective compliance programs in place, the concept of data privacy has recently become very much a hot topic, regularly referred to in the press as well as in the boardroom. Whilst the European Data Protection Data Protection Directive (“the Directive”) [1]was adopted in 1995, most EU Member States did not have any legislation in place until the late nineties. This legislation forced many companies, acting as data controller, to start looking at what sort of personal data they were processing, to consider in more detail the purposes for processing and to start making available or increase budgets allocated to the implementation of security enhancements for the storage of its personal data. Initially many companies did not consider the risk of exposure sufficiently important to justify internal spending on this. These days however, organisations appear to be much more in tune with the compliance trend. It now gives these companies a competitive edge over other organisations and this is more and more true in the field of data privacy as the business world has seen an increase in outsourcing activities of organisations to off shore locations such as India or the Philippines, countries which do not have adequate data protection regimes in place. Moreover, data privacy regulators have been given stronger and more efficient enforcement powers resulting in significant fines across Europe, and the adoption of data privacy legislation in other parts of the world such as Canada, Russia and Australia emphasises the global awareness of privacy issues. Of course the many press reports detailing lost or stolen CD’s with thousands (if not millions) of people’s personal details on them have not harmed the cause for robust privacy regimes either. The current trend towards functional globalisation requires a global response and policies having binding effect on all entities across the world. In Accenture’s case this meant having a uniform compliance program in place which served as a basis for its application for Binding Corporate Rules. The following paragraphs describe the pursuit of obtaining approval of the European regulators in respect of this application.