Title: GEs Binding Corporate Rules: Achievements, Challenges and Solutions
1GEs Binding Corporate RulesAchievements,
Challenges andSolutions
- Ulrika Dellrud
- Counsel, European Affairs
- General Electric Company
- ulrika.dellrud_at_ge.com
2Six Businesses, Each with a Number of Business
Units Aligned for Growth
Infrastructure
Industrial
Commercial Finance
Healthcare
NBC Universal
GE Money
3Meeting Global Challenges
Knowledge Flows
Technology Innovation
Global Integration
Conflict Security
Institutional Governance
Resource Management
Population / Demography
Transparency in Governance (Corp/Govt) Compliance
Rigor Corporate Citizenship
Personalized Healthcare Philanthropy
Services in WTO/FTAs Energy Healthcare Financial
Services
Renewables Nuclear Water/Desal Clean
Coal
H Turbine Engine Evolution Locomotive
Global Research Centers NBCU
Container Security Explosive Detection
Mobilizing capital and resources. . .
Bringing solutions through our customers. . .
Leading with governments to find solutions. . .
4GE - Not Just a U.S. Company
- Operations in over 100 countries
300,000 employees worldwide
Manufacturing facilities in 32 countries
5The GE Difference is. . .
- Leadership Commitment to Integrity
- A Culture of Integrity Compliance
- World-Class Systems to Support Commitment
- Communications
- Education Training
- Auditing Control
6GE Policies are the Foundation of GEs Integrity
13 policies, including on privacy, outline GEs
core legal and ethical responsibilities
- GEs global workforce commits to comply
- New employees receive a copy of The Spirit and
Letter handbook and acknowledge that they are
required to comply with its policies - Employees re-acknowledge commitment to SL every
18 months - Failure to comply can lead to termination of
employment
GE and controlled affiliates are also
bound Subsidiaries and other controlled
affiliates throughout the world must adopt and
follow corresponding policies. A controlled
affiliate is a subsidiary or other entity in
which GE owns, directly or indirectly, more than
50 of the voting rights, or in which the power
to control the entity is possessed by or on
behalf of GE.
7BCRs Incorporated into GE Policy in 2003
- Fair Employment Practices Policy (GE Spirit
Letter) - Requires respect for the privacy rights of
employees by using, maintaining and transferring
their personal data in accordance with applicable
Company guidelines and procedures.
GE Employment Data Protection Standards (Binding
Corporate Rules) Protects Employment Data,
defined as any information about an identified
or identifiable person that is obtained in the
context of the persons working relationship with
a GE entity.
8Today, GEs BCRs Continue to Provide Strong,
Global Data Protection
- Key Principles
- Adduces adequate safeguards globally - a high,
EU-like standard globally - plus stricter local
laws prevail - Key protections
- Transparency and fairness
- Purpose limitation
- Data quality
- Security
- Rights of access, rectification, objection
- Protections for onward transfer
- Enforcement
- Internal controls and audits
- Reporting channels for suspected violations
- Cooperation with Data Protection Authorities
(DPA) - Data subject right to seek remedy in home country
- Communication and training
9Binding Corporate Rules An Effective Compliance
Approach for GE
- BCRs
- Consistent with GEs compliance structure and
practices - Binding on GE entities and employees
- Harmonized global guidelines ensure a consistent,
strong protection - Policies are alive and visible to our employees
- Language is user-friendly and has been translated
into many local languages for data handlers and
employees around the world - Company assumes responsibility for providing
adequate safeguards for data - Strong support for a privacy compliant culture
from GE senior management - Contracts
- Complex administration with thousands of entities
- Complex language not visible to data handlers or
employees - Safe Harbor
- Covers only EU to U.S. transfers
- Does not cover GEs financial services businesses
10BCR Approval ProcessPrior to Coordinated
Process
- GE sought recognition of its Standards as a BCR
in each country adopted by German DPAs in July
2003 - Lessons Learned
- Challenges for companies
- Gaining individual approval by 28 EU/EEA
countries was time-consuming - Minor modifications suggested by individual DPAs
triggered significant work re-training of data
handlers revision of operating procedures
renegotiation with prior-approving DPAs - Challenges for DPAs
- Hard for DPAs to review BCRs and supporting
documentation from many different companies
11BCR Approval ProcessCoordinated Process
- GE worked with UKIC as lead authority for
coordinated approval of BCR (mid-2004 through
present). As one of the first companies to
undertake the BCR approval process, GE worked
side-by-side with DPAs in a number of countries
to facilitate approval. - Lessons Learned
- Significant effort required by Lead Authority
(and UKIC was excellent!) - Working collaboratively and transparently with
DPA staff and commissioners was effective
in-person meetings essential but the process
took substantial time for GE, the UKIC and all
DPAs - GE resources (HR, Legal, Privacy, Compliance,
Audit teams) heavily involved in demonstrating
strong controls - Process can work! GE has approvals in 11
countries pending in 15 more
12BCRs Benefit Companies and DPAs!
- Benefits for companies
- Unified, global standard
- In-house policy driven by/tailored to a companys
unique culture or business/compliance processes - More ability to communicate rules, values to
employees (better than contracts or safe harbor) - Benefits for DPAs
- Simplified approval process for BCR
- Fewer unique data processing approvals, if
activity covered by BCR - Better awareness of data protection rights on
part of individual - Increased and clarified role for DPAs in
enforcing/approving BCRs of global companies