ges binding corporate rules: achievements, challenges and solutions nuala oconnor kelly chief...
TRANSCRIPT
GE’s Binding Corporate Rules:
Achievements, Challenges andSolutions
Nuala O’Connor KellyChief Privacy LeaderGeneral Electric CompanyNuala.o’[email protected]
2 /Ulrika Dellrud
2006-10-24
Six Businesses, Each with a Number of Business Units Aligned for Growth
Commercial Finance
Healthcare
Infrastructure
NBC Universal
GE Money
Industrial
3 /Ulrika Dellrud
2006-10-24
Meeting Global Challenges
Knowledge
Flows
Technology Innovation
Global Integration
Conflict & Security
Institutional Governance
Resource Management
Population / Demography
Mobilizing capital and resources. . .
Renewables
Nuclear
Water/Desal
Clean Coal
H Turbine
Engine
Evolution Locomotiv
e
Global Research Centers
NBCU
Container Security
Explosive Detection
Transparency in
Governance
(Corp/Govt)
Compliance
Rigor
Corporate Citizenshi
pBringing solutions through our customers. . .Leading with governments to find solutions. . .
Personalized
Healthcare
Philanthropy
Services in WTO/FTAs
Energy
Healthcare
Financial Services
4 /Ulrika Dellrud
2006-10-24
A global company with operations in over 100 countries and 300,000+ employees
95,000+ employees in EMEA
5 /Ulrika Dellrud
2006-10-24
The GE difference . . . Leadership commitment to integrity
A culture of compliance supported by world-class systems:
• Policies
• Education & Training
•Communications
• Auditing & Control
6 /Ulrika Dellrud
2006-10-24
GE and controlled affiliates are also bound:
“Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE.”
GE’s global workforce commits to comply:• New employees receive a copy of The Spirit and
Letter handbook and acknowledge that they are required to comply with its policies
• Employees re-acknowledge commitment to S&L every 18 months
• Failure to comply can lead to termination of employment
GE Policies are the Foundation of GE’s Integrity14 policies, including on privacy, outline GE’s core legal and ethical responsibilities
7 /Ulrika Dellrud
2006-10-24
Fair Employment Practices Policy (GE Spirit & Letter)
Requires respect for “the privacy rights of employees by using, maintaining and transferring their personal data in accordance with applicable Company guidelines and procedures.”
GE Employment Data Protection Standards (Binding Corporate Rules)
Protects “Employment Data,” defined as “any information about an identified or identifiable person that is obtained in the context of the person’s working relationship with a GE entity.”
BCRs Incorporated into GE Policy in 2003
8 /Ulrika Dellrud
2006-10-24
Key Principles:• Adduces adequate safeguards globally - a high, EU-
like standard globally - plus stricter local laws prevail• Key protections
– Transparency and fairness – Purpose limitation – Data quality– Security– Rights of access, rectification, objection– Protections for onward transfer
• Enforcement– Internal controls and audits– Reporting channels for suspected violations– Cooperation with Data Protection Authorities
(DPA)– Data subject right to seek remedy in home
country– Communication and training
Today, GE’s BCRs Continue to Provide Strong, Global Data Protection
9 /Ulrika Dellrud
2006-10-24
Binding Corporate Rules: An Effective Compliance Approach for GEBCRs
+ Consistent with GE’s compliance structure and practices+ Binding on GE entities and employees+ Harmonized global guidelines ensure a consistent, strong protection+ Policies are alive and visible to our employees+ Language is user-friendly and has been translated into many local
languages for data handlers and employees around the world+ Company assumes responsibility for providing adequate safeguards for
data+ Strong support for a privacy compliant culture from GE senior
management
Contracts:– Complex administration with thousands of entities– Complex language; not visible to data handlers or employees
Safe Harbor:– Covers only EU to U.S. transfers – Does not cover GE’s financial services businesses
10 /Ulrika Dellrud
2006-10-24
BCR Approval Process
11 /Ulrika Dellrud
2006-10-24
BCR Approval Process:Prior to Coordinated Process GE sought recognition of its Standards as a BCR in each country; adopted by German DPAs in July 2003
Lessons Learned:
Challenges for companies:
Gaining individual approval by 28 EU/EEA countries was time-consuming
Minor modifications suggested by individual DPAs triggered significant work: re-training of data handlers; revision of operating procedures; renegotiation with prior-approving DPAs
Challenges for DPAs:
Hard for DPAs to review BCRs and supporting documentation from many different companies
12 /Ulrika Dellrud
2006-10-24
BCR Approval Process:Coordinated Process
GE worked with UKIC as “lead authority” for coordinated approval of BCR (mid-2004 through present). As one of the first companies to undertake the BCR approval process, GE worked side-by-side with DPAs in a number of countries to facilitate approval.
Lessons Learned:
Significant effort required by Lead Authority (and UKIC was excellent!)
Working collaboratively and transparently with DPA staff and commissioners was effective; in-person meetings essential – but the process took substantial time for GE, the UKIC and all DPAs
GE resources (HR, Legal, Privacy, Compliance, Audit teams) heavily involved in demonstrating strong controls
Process can work! GE has approvals in 13 countries; pending in 13 more
13 /Ulrika Dellrud
2006-10-24
Managing Practical Implementation Regionally &
Globally
14 /Ulrika Dellrud
2006-10-24
Policy Compliance Review Board (PCRB)
GE General Counsel
Chief Privacy Leader
• Policy development• Practice facilitator
Corporate
• Employment Data Privacy Committee
• Global Privacy Council• Corp Audit & Compliance
Team
Businesses• Chief Privacy Leaders
• Data Protection Review Boards
• Senior HR/IT Leaders
Poles• US Privacy Leaders
• European Privacy Leaders• Asian Privacy Leaders
GE Privacy Structure
15 /Ulrika Dellrud
2006-10-24
A strong structure ensures daily compliance
Board of DirectorsAudit Committee
• Regular updates
Legal Organization• lawyers in Europe & globally• Dedicated compliance leader
in each business
Independent Auditors• Report to BOD Audit
Committee• auditors in Europe
& globally
GlobalOmbudsperson Network• Intake and resolve concerns• Monitor trends/cases
Policy Compliance Review Board (PCRB)
• Senior GE officers• Policy oversight
• Business reviews
GE’s Policy
Governance Structure
16 /Ulrika Dellrud
2006-10-24
26 Languages
Hotlinks
13 Policies in simple, reader-friendly language
Report Concerns &
Access Resources
GE’s policies are visible and user friendly
17 /Ulrika Dellrud
2006-10-24
For Data Handlers- authorized individuals who process employment data•Human Resources• Information Technology•Managers•Legal•Sourcing
Messages via:•On-line courses•Live training•Web articles
Training and Communication:
Data handlers are trained on their obligations
18 /Ulrika Dellrud
2006-10-24
• Business self-audit checklists
• Data protection FAQs
• Country toolkits
• Country experts
• Links to external sites
• Privacy reviews before new systems are implemented
Substantial guidance is provided to data handlers
19 /Ulrika Dellrud
2006-10-24
BCRs Benefit Companies and DPAs!Benefits for companies:
Unified, global standard
In-house policy driven by/tailored to a company’s unique culture or business/compliance processes
More ability to communicate rules, values to employees (better than contracts or safe harbor)
Benefits for DPAs:
Simplified approval process for BCR
Fewer unique data processing approvals, if activity covered by BCR
Better awareness of data protection rights on part of individual
Increased and clarified role for DPAs in enforcing/approving BCRs of global companies