GE’s Binding Corporate Rules:

Achievements, Challenges andSolutions

Nuala O’Connor KellyChief Privacy LeaderGeneral Electric CompanyNuala.o’connorkelly@ge.com

2 /Ulrika Dellrud

2006-10-24

Six Businesses, Each with a Number of Business Units Aligned for Growth

Commercial Finance

Healthcare

Infrastructure

NBC Universal

GE Money

Industrial

3 /Ulrika Dellrud

2006-10-24

Meeting Global Challenges

Knowledge

Flows

Technology Innovation

Global Integration

Conflict & Security

Institutional Governance

Resource Management

Population / Demography

Mobilizing capital and resources. . .

Renewables

Nuclear

Water/Desal

Clean Coal

H Turbine

Engine

Evolution Locomotiv

e

Global Research Centers

NBCU

Container Security

Explosive Detection

Transparency in

Governance

(Corp/Govt)

Compliance

Rigor

Corporate Citizenshi

pBringing solutions through our customers. . .Leading with governments to find solutions. . .

Personalized

Healthcare

Philanthropy

Services in WTO/FTAs

Energy

Healthcare

Financial Services

4 /Ulrika Dellrud

2006-10-24

A global company with operations in over 100 countries and 300,000+ employees

95,000+ employees in EMEA

5 /Ulrika Dellrud

2006-10-24

The GE difference . . . Leadership commitment to integrity

A culture of compliance supported by world-class systems:

• Policies

• Education & Training

•Communications

• Auditing & Control

6 /Ulrika Dellrud

2006-10-24

GE and controlled affiliates are also bound:

“Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE.”

GE’s global workforce commits to comply:• New employees receive a copy of The Spirit and

Letter handbook and acknowledge that they are required to comply with its policies

• Employees re-acknowledge commitment to S&L every 18 months

• Failure to comply can lead to termination of employment

GE Policies are the Foundation of GE’s Integrity14 policies, including on privacy, outline GE’s core legal and ethical responsibilities

7 /Ulrika Dellrud

2006-10-24

Fair Employment Practices Policy (GE Spirit & Letter)

Requires respect for “the privacy rights of employees by using, maintaining and transferring their personal data in accordance with applicable Company guidelines and procedures.”

GE Employment Data Protection Standards (Binding Corporate Rules)

Protects “Employment Data,” defined as “any information about an identified or identifiable person that is obtained in the context of the person’s working relationship with a GE entity.”

BCRs Incorporated into GE Policy in 2003

8 /Ulrika Dellrud

2006-10-24

Key Principles:• Adduces adequate safeguards globally - a high, EU-

like standard globally - plus stricter local laws prevail• Key protections

– Transparency and fairness – Purpose limitation – Data quality– Security– Rights of access, rectification, objection– Protections for onward transfer

• Enforcement– Internal controls and audits– Reporting channels for suspected violations– Cooperation with Data Protection Authorities

(DPA)– Data subject right to seek remedy in home

country– Communication and training

Today, GE’s BCRs Continue to Provide Strong, Global Data Protection

9 /Ulrika Dellrud

2006-10-24

Binding Corporate Rules: An Effective Compliance Approach for GEBCRs

+ Consistent with GE’s compliance structure and practices+ Binding on GE entities and employees+ Harmonized global guidelines ensure a consistent, strong protection+ Policies are alive and visible to our employees+ Language is user-friendly and has been translated into many local

languages for data handlers and employees around the world+ Company assumes responsibility for providing adequate safeguards for

data+ Strong support for a privacy compliant culture from GE senior

management

Contracts:– Complex administration with thousands of entities– Complex language; not visible to data handlers or employees

Safe Harbor:– Covers only EU to U.S. transfers – Does not cover GE’s financial services businesses

10 /Ulrika Dellrud

2006-10-24

BCR Approval Process

11 /Ulrika Dellrud

2006-10-24

BCR Approval Process:Prior to Coordinated Process GE sought recognition of its Standards as a BCR in each country; adopted by German DPAs in July 2003

Lessons Learned:

Challenges for companies:

Gaining individual approval by 28 EU/EEA countries was time-consuming

Minor modifications suggested by individual DPAs triggered significant work: re-training of data handlers; revision of operating procedures; renegotiation with prior-approving DPAs

Challenges for DPAs:

Hard for DPAs to review BCRs and supporting documentation from many different companies

12 /Ulrika Dellrud

2006-10-24

BCR Approval Process:Coordinated Process

GE worked with UKIC as “lead authority” for coordinated approval of BCR (mid-2004 through present). As one of the first companies to undertake the BCR approval process, GE worked side-by-side with DPAs in a number of countries to facilitate approval.

Lessons Learned:

Significant effort required by Lead Authority (and UKIC was excellent!)

Working collaboratively and transparently with DPA staff and commissioners was effective; in-person meetings essential – but the process took substantial time for GE, the UKIC and all DPAs

GE resources (HR, Legal, Privacy, Compliance, Audit teams) heavily involved in demonstrating strong controls

Process can work! GE has approvals in 13 countries; pending in 13 more

13 /Ulrika Dellrud

2006-10-24

Managing Practical Implementation Regionally &

Globally

14 /Ulrika Dellrud

2006-10-24

Policy Compliance Review Board (PCRB)

GE General Counsel

Chief Privacy Leader

• Policy development• Practice facilitator

Corporate

• Employment Data Privacy Committee

• Global Privacy Council• Corp Audit & Compliance

Team

Businesses• Chief Privacy Leaders

• Data Protection Review Boards

• Senior HR/IT Leaders

Poles• US Privacy Leaders

• European Privacy Leaders• Asian Privacy Leaders

GE Privacy Structure

15 /Ulrika Dellrud

2006-10-24

A strong structure ensures daily compliance

Board of DirectorsAudit Committee

• Regular updates

Legal Organization• lawyers in Europe & globally• Dedicated compliance leader

in each business

Independent Auditors• Report to BOD Audit

Committee• auditors in Europe

& globally

GlobalOmbudsperson Network• Intake and resolve concerns• Monitor trends/cases

Policy Compliance Review Board (PCRB)

• Senior GE officers• Policy oversight

• Business reviews

GE’s Policy

Governance Structure

16 /Ulrika Dellrud

2006-10-24

26 Languages

Hotlinks

13 Policies in simple, reader-friendly language

Report Concerns &

Access Resources

GE’s policies are visible and user friendly

17 /Ulrika Dellrud

2006-10-24

For Data Handlers- authorized individuals who process employment data•Human Resources• Information Technology•Managers•Legal•Sourcing

Messages via:•On-line courses•Live training•Web articles

Training and Communication:

Data handlers are trained on their obligations

18 /Ulrika Dellrud

2006-10-24

• Business self-audit checklists

• Data protection FAQs

• Country toolkits

• Country experts

• Links to external sites

• Privacy reviews before new systems are implemented

Substantial guidance is provided to data handlers

19 /Ulrika Dellrud

2006-10-24

BCRs Benefit Companies and DPAs!Benefits for companies:

Unified, global standard

In-house policy driven by/tailored to a company’s unique culture or business/compliance processes

More ability to communicate rules, values to employees (better than contracts or safe harbor)

Benefits for DPAs:

Simplified approval process for BCR

Fewer unique data processing approvals, if activity covered by BCR

Better awareness of data protection rights on part of individual

Increased and clarified role for DPAs in enforcing/approving BCRs of global companies