Transcript Document

GE’s Binding Corporate
Rules:
Achievements,
Challenges and
Solutions
Nuala O’Connor Kelly
Chief Privacy Leader
General Electric Company
Nuala.o’[email protected]
Six Businesses, Each with a Number
of Business Units Aligned for Growth
Infrastructure
Commercial
Finance
Industrial
Healthcare
NBC Universal
GE Money
2/
Ulrika Dellrud
2006-10-24
Meeting Global Challenges
Population / Resource Technology Knowledge
Global
Conflict & Institutional
Demography Management Innovation
Flows
Integration Security Governance
Personalized Renewables H Turbine
Healthcare
Nuclear
Engine
Philanthropy
Water/Desal Evolution
Locomotive
Clean Coal
Global
Research
Centers
Services in
WTO/FTAs
NBCU
Healthcare
Energy
Financial
Services
Container Transparenc
y in
Security
Governance
Explosive (Corp/Govt)
Detection
Compliance
Rigor
Corporate
Citizenship
Mobilizing capital and resources. . .
Bringing solutions through our customers. . .
Leading with governments to find solutions. . .
3/
Ulrika Dellrud
2006-10-24
A global company with operations in
over 100 countries and 300,000+
employees
95,000+ employees in EMEA
4/
Ulrika Dellrud
2006-10-24
The GE difference . . .
 Leadership commitment to integrity
 A culture of compliance supported by world-class systems:
• Policies
• Education & Training
•Communications
• Auditing & Control
5/
Ulrika Dellrud
2006-10-24
GE Policies are the Foundation of GE’s
Integrity
14 policies, including on privacy, outline
GE’s core legal and ethical responsibilities
GE’s global workforce commits to comply:
• New employees receive a copy of The Spirit and Letter
handbook and acknowledge that they are required to
comply with its policies
• Employees re-acknowledge commitment to S&L every
18 months
• Failure to comply can lead to termination of employment
GE and controlled affiliates are also bound:
“Subsidiaries and other controlled affiliates throughout
the world must adopt and follow corresponding policies.
A controlled affiliate is a subsidiary or other entity in
which GE owns, directly or indirectly, more than 50% of
the voting rights, or in which the power to control the
entity is possessed by or on behalf of GE.”
6/
Ulrika Dellrud
2006-10-24
BCRs Incorporated into GE Policy in
2003
Fair Employment Practices Policy (GE Spirit & Letter)
Requires respect for “the privacy rights of
employees by using, maintaining and transferring
their personal data in accordance with applicable
Company guidelines and procedures.”
GE Employment Data Protection Standards (Binding
Corporate Rules)
Protects “Employment Data,” defined as “any
information about an identified or identifiable person
that is obtained in the context of the person’s working
relationship with a GE entity.”
7/
Ulrika Dellrud
2006-10-24
Today, GE’s BCRs Continue to Provide
Strong, Global Data Protection
Key Principles:
• Adduces adequate safeguards globally - a high, EUlike standard globally - plus stricter local laws prevail
• Key protections
– Transparency and fairness
– Purpose limitation
– Data quality
– Security
– Rights of access, rectification, objection
– Protections for onward transfer
• Enforcement
– Internal controls and audits
– Reporting channels for suspected violations
– Cooperation with Data Protection Authorities (DPA)
– Data subject right to seek remedy in home country
– Communication and training
8/
Ulrika Dellrud
2006-10-24
Binding Corporate Rules:
An Effective Compliance Approach for
BCRs
GE
+ Consistent with GE’s compliance structure and practices
+
+
+
+
+
+
Binding on GE entities and employees
Harmonized global guidelines ensure a consistent, strong protection
Policies are alive and visible to our employees
Language is user-friendly and has been translated into many local languages
for data handlers and employees around the world
Company assumes responsibility for providing adequate safeguards for data
Strong support for a privacy compliant culture from GE senior management
Contracts:
– Complex administration with thousands of entities
– Complex language; not visible to data handlers or employees
Safe Harbor:
– Covers only EU to U.S. transfers
– Does not cover GE’s financial services businesses
9/
Ulrika Dellrud
2006-10-24
BCR Approval Process
10 /
Ulrika Dellrud
2006-10-24
BCR Approval Process:
Prior to Coordinated Process
GE sought recognition of its Standards as a BCR in each country; adopted
by German DPAs in July 2003
Lessons Learned:
Challenges for companies:
 Gaining individual approval by 28 EU/EEA countries was timeconsuming
 Minor modifications suggested by individual DPAs triggered
significant work: re-training of data handlers; revision of operating
procedures; renegotiation with prior-approving DPAs
Challenges for DPAs:
 Hard for DPAs to review BCRs and supporting documentation from
many different companies
11 /
Ulrika Dellrud
2006-10-24
BCR Approval Process:
Coordinated Process
GE worked with UKIC as “lead authority” for coordinated approval of BCR
(mid-2004 through present). As one of the first companies to undertake
the BCR approval process, GE worked side-by-side with DPAs in a number
of countries to facilitate approval.
Lessons Learned:
Significant effort required by Lead Authority (and UKIC was excellent!)
Working collaboratively and transparently with DPA staff and commissioners
was effective; in-person meetings essential – but the process took substantial
time for GE, the UKIC and all DPAs
GE resources (HR, Legal, Privacy, Compliance, Audit teams) heavily involved in
demonstrating strong controls
Process can work! GE has approvals in 13 countries; pending in 13 more
12 /
Ulrika Dellrud
2006-10-24
Managing Practical Implementation
Regionally & Globally
13 /
Ulrika Dellrud
2006-10-24
GE Privacy Structure
Policy Compliance Review
Board (PCRB)
GE General Counsel
Chief Privacy
Leader
• Policy development
• Practice facilitator
Corporate
• Employment Data Privacy
Committee
• Global Privacy Council
• Corp Audit & Compliance
Team
Poles
• US Privacy Leaders
• European Privacy Leaders
• Asian Privacy Leaders
Businesses
• Chief Privacy Leaders
• Data Protection Review Boards
• Senior HR/IT Leaders
14 /
Ulrika Dellrud
2006-10-24
A strong structure ensures daily
compliance
GE’s
Policy
Governance
Structure
Board of Directors
Audit Committee
• Regular updates
Policy Compliance
Review Board (PCRB)
• Senior GE officers
• Policy oversight
• Business reviews
Legal Organization
• lawyers in Europe & globally
• Dedicated compliance leader
in each business
Independent Auditors
• Report to BOD Audit
Committee
• auditors in Europe
& globally
Global
Ombudsperson Network
• Intake and resolve concerns
• Monitor trends/cases
15 /
Ulrika Dellrud
2006-10-24
GE’s policies are visible and user
friendly
Report
Concerns &
Access
Resources
Hotlinks
26 Languages
13 Policies in simple, reader-friendly
language
16 /
Ulrika Dellrud
2006-10-24
Data handlers are trained on their
obligations
Training and
Communication:
For Data Handlersauthorized individuals who
process employment data
• Human Resources
• Information Technology
• Managers
• Legal
• Sourcing
Messages via:
• On-line courses
• Live training
• Web articles
17 /
Ulrika Dellrud
2006-10-24
Substantial guidance is provided to data
handlers
• Business self-audit
checklists
• Data protection FAQs
• Country toolkits
• Country experts
• Links to external sites
• Privacy reviews before
new systems are
implemented
18 /
Ulrika Dellrud
2006-10-24
BCRs Benefit Companies and
DPAs!
Benefits for companies:
 Unified, global standard
 In-house policy driven by/tailored to a company’s unique culture or
business/compliance processes
 More ability to communicate rules, values to employees (better than
contracts or safe harbor)
Benefits for DPAs:
 Simplified approval process for BCR
 Fewer unique data processing approvals, if activity covered by BCR
 Better awareness of data protection rights on part of individual
 Increased and clarified role for DPAs in enforcing/approving BCRs of
global companies
19 /
Ulrika Dellrud
2006-10-24