GEs Binding Corporate Rules: Achievements, Challenges and Solutions

1
GEs Binding Corporate RulesAchievements,
Challenges andSolutions

• Ulrika Dellrud
• Counsel, European Affairs
• General Electric Company
• ulrika.dellrud_at_ge.com

2
Six Businesses, Each with a Number of Business
Units Aligned for Growth
Infrastructure
Industrial
Commercial Finance
Healthcare
NBC Universal
GE Money
3
Meeting Global Challenges
Knowledge Flows
Technology Innovation
Global Integration
Conflict Security
Institutional Governance
Resource Management
Population / Demography
Transparency in Governance (Corp/Govt) Compliance
Rigor Corporate Citizenship
Personalized Healthcare Philanthropy
Services in WTO/FTAs Energy Healthcare Financial
Services
Renewables Nuclear Water/Desal Clean
Coal
H Turbine Engine Evolution Locomotive
Global Research Centers NBCU
Container Security Explosive Detection
Mobilizing capital and resources. . .
Bringing solutions through our customers. . .
Leading with governments to find solutions. . .
4
GE - Not Just a U.S. Company

• Operations in over 100 countries

300,000 employees worldwide
Manufacturing facilities in 32 countries
5
The GE Difference is. . .

• Leadership Commitment to Integrity
• A Culture of Integrity Compliance
• World-Class Systems to Support Commitment

• Communications
• Education Training
• Auditing Control

6
GE Policies are the Foundation of GEs Integrity
13 policies, including on privacy, outline GEs
core legal and ethical responsibilities

• GEs global workforce commits to comply
• New employees receive a copy of The Spirit and
  Letter handbook and acknowledge that they are
  required to comply with its policies
• Employees re-acknowledge commitment to SL every
  18 months
• Failure to comply can lead to termination of
  employment

GE and controlled affiliates are also
bound Subsidiaries and other controlled
affiliates throughout the world must adopt and
follow corresponding policies. A controlled
affiliate is a subsidiary or other entity in
which GE owns, directly or indirectly, more than
50 of the voting rights, or in which the power
to control the entity is possessed by or on
behalf of GE.
7
BCRs Incorporated into GE Policy in 2003

• Fair Employment Practices Policy (GE Spirit
  Letter)
• Requires respect for the privacy rights of
  employees by using, maintaining and transferring
  their personal data in accordance with applicable
  Company guidelines and procedures.

GE Employment Data Protection Standards (Binding
Corporate Rules) Protects Employment Data,
defined as any information about an identified
or identifiable person that is obtained in the
context of the persons working relationship with
a GE entity.
8
Today, GEs BCRs Continue to Provide Strong,
Global Data Protection

• Key Principles
• Adduces adequate safeguards globally - a high,
  EU-like standard globally - plus stricter local
  laws prevail
• Key protections
• Transparency and fairness
• Purpose limitation
• Data quality
• Security
• Rights of access, rectification, objection
• Protections for onward transfer
• Enforcement
• Internal controls and audits
• Reporting channels for suspected violations
• Cooperation with Data Protection Authorities
  (DPA)
• Data subject right to seek remedy in home country
• Communication and training

9
Binding Corporate Rules An Effective Compliance
Approach for GE

• BCRs
• Consistent with GEs compliance structure and
  practices
• Binding on GE entities and employees
• Harmonized global guidelines ensure a consistent,
  strong protection
• Policies are alive and visible to our employees
• Language is user-friendly and has been translated
  into many local languages for data handlers and
  employees around the world
• Company assumes responsibility for providing
  adequate safeguards for data
• Strong support for a privacy compliant culture
  from GE senior management
• Contracts
• Complex administration with thousands of entities
• Complex language not visible to data handlers or
  employees
• Safe Harbor
• Covers only EU to U.S. transfers
• Does not cover GEs financial services businesses

10
BCR Approval ProcessPrior to Coordinated
Process

• GE sought recognition of its Standards as a BCR
  in each country adopted by German DPAs in July
  2003
• Lessons Learned
• Challenges for companies
• Gaining individual approval by 28 EU/EEA
  countries was time-consuming
• Minor modifications suggested by individual DPAs
  triggered significant work re-training of data
  handlers revision of operating procedures
  renegotiation with prior-approving DPAs
• Challenges for DPAs
• Hard for DPAs to review BCRs and supporting
  documentation from many different companies

11
BCR Approval ProcessCoordinated Process

• GE worked with UKIC as lead authority for
  coordinated approval of BCR (mid-2004 through
  present). As one of the first companies to
  undertake the BCR approval process, GE worked
  side-by-side with DPAs in a number of countries
  to facilitate approval.
• Lessons Learned
• Significant effort required by Lead Authority
  (and UKIC was excellent!)
• Working collaboratively and transparently with
  DPA staff and commissioners was effective
  in-person meetings essential but the process
  took substantial time for GE, the UKIC and all
  DPAs
• GE resources (HR, Legal, Privacy, Compliance,
  Audit teams) heavily involved in demonstrating
  strong controls
• Process can work! GE has approvals in 11
  countries pending in 15 more

12
BCRs Benefit Companies and DPAs!

• Benefits for companies
• Unified, global standard
• In-house policy driven by/tailored to a companys
  unique culture or business/compliance processes
• More ability to communicate rules, values to
  employees (better than contracts or safe harbor)
• Benefits for DPAs
• Simplified approval process for BCR
• Fewer unique data processing approvals, if
  activity covered by BCR
• Better awareness of data protection rights on
  part of individual
• Increased and clarified role for DPAs in
  enforcing/approving BCRs of global companies