Presentation on theme: "GE’s Binding Corporate Rules: Achievements, Challenges and Solutions"— Presentation transcript:
1 GE’s Binding Corporate Rules: Achievements, Challenges and Solutions Nuala O’Connor KellyChief Privacy LeaderGeneral Electric Company
2 Six Businesses, Each with a Number of Business Units Aligned for Growth InfrastructureCommercial FinanceIndustrialNote: This is one slide that can be used instead of the individual slides for each business.GE’s six businesses are organized to serve customers, be they industries, markets, even countries.Commercial FinanceInsurance • Leasing • Real Estate • Corporate Financial Services • Healthcare Financial ServicesInfrastructureOil & Gas • Energy • Rail • Aircraft Engines • Water • Energy Financial Services • Aviation Financial ServicesIndustrialConsumer & Industrial • Equipment Services • Plastics • Silicones/Quartz • Security • Sensing • Fanuc • Inspection TechnologiesHealthcareDiagnostic Imaging • Clinical Systems • Information Technology • Services • Bio SciencesConsumer FinanceEurope • Asia • Americas • Australia/New ZealandNBC UniversalNetwork • Stations • Entertainment • Universal • Sports/OlympicsHealthcareNBC UniversalGE Money
3 Meeting Global Challenges Population / DemographyResource ManagementTechnology InnovationKnowledge FlowsGlobal IntegrationConflict & SecurityInstitutional GovernancePersonalized HealthcarePhilanthropyRenewablesNuclearWater/DesalClean CoalH TurbineEngineEvolution LocomotiveGlobal Research CentersNBCUServices in WTO/FTAsEnergyHealthcareFinancial ServicesContainer SecurityExplosive DetectionTransparency in Governance (Corp/Govt)Compliance RigorCorporate CitizenshipMobilizing capital and resources. . .Bringing solutions through our customers. . .Leading with governments to find solutions. . .
4 A global company with operations in over 100 countries and 300,000+ employees 95,000+ employees in EMEA
5 The GE difference . . . Leadership commitment to integrity A culture of compliance supported by world-class systems:PoliciesEducation & TrainingCommunicationsAuditing & Control
6 GE Policies are the Foundation of GE’s Integrity 14 policies, including on privacy, outline GE’s core legal and ethical responsibilitiesGE’s global workforce commits to comply:New employees receive a copy of The Spirit and Letter handbook and acknowledge that they are required to comply with its policiesEmployees re-acknowledge commitment to S&L every 18 monthsFailure to comply can lead to termination of employmentGE and controlled affiliates are also bound:“Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE.”
7 BCRs Incorporated into GE Policy in 2003 Fair Employment Practices Policy (GE Spirit & Letter)Requires respect for “the privacy rights of employees by using, maintaining and transferring their personal data in accordance with applicable Company guidelines and procedures.”GE Employment Data Protection Standards (Binding Corporate Rules)Protects “Employment Data,” defined as “any information about an identified or identifiable person that is obtained in the context of the person’s working relationship with a GE entity.”
8 Today, GE’s BCRs Continue to Provide Strong, Global Data Protection Key Principles:Adduces adequate safeguards globally - a high, EU-like standard globally - plus stricter local laws prevailKey protectionsTransparency and fairnessPurpose limitationData qualitySecurityRights of access, rectification, objectionProtections for onward transferEnforcementInternal controls and auditsReporting channels for suspected violationsCooperation with Data Protection Authorities (DPA)Data subject right to seek remedy in home countryCommunication and training
9 Binding Corporate Rules: An Effective Compliance Approach for GE BCRsConsistent with GE’s compliance structure and practicesBinding on GE entities and employeesHarmonized global guidelines ensure a consistent, strong protectionPolicies are alive and visible to our employeesLanguage is user-friendly and has been translated into many local languages for data handlers and employees around the worldCompany assumes responsibility for providing adequate safeguards for dataStrong support for a privacy compliant culture from GE senior managementContracts:Complex administration with thousands of entitiesComplex language; not visible to data handlers or employeesSafe Harbor:Covers only EU to U.S. transfersDoes not cover GE’s financial services businesses
11 BCR Approval Process: Prior to Coordinated Process GE sought recognition of its Standards as a BCR in each country; adopted by German DPAs in July 2003Lessons Learned:Challenges for companies:Gaining individual approval by 28 EU/EEA countries was time- consumingMinor modifications suggested by individual DPAs triggered significant work: re-training of data handlers; revision of operating procedures; renegotiation with prior-approving DPAsChallenges for DPAs:Hard for DPAs to review BCRs and supporting documentation from many different companies
12 BCR Approval Process: Coordinated Process GE worked with UKIC as “lead authority” for coordinated approval of BCR (mid-2004 through present). As one of the first companies to undertake the BCR approval process, GE worked side-by-side with DPAs in a number of countries to facilitate approval.Lessons Learned:Significant effort required by Lead Authority (and UKIC was excellent!)Working collaboratively and transparently with DPA staff and commissioners was effective; in-person meetings essential – but the process took substantial time for GE, the UKIC and all DPAsGE resources (HR, Legal, Privacy, Compliance, Audit teams) heavily involved in demonstrating strong controlsProcess can work! GE has approvals in 13 countries; pending in 13 more
15 A strong structure ensures daily compliance GE’s Policy Governance StructureBoard of Directors Audit CommitteeRegular updatesPolicy Compliance Review Board (PCRB)Senior GE officersPolicy oversightBusiness reviewsLegal Organizationlawyers in Europe & globallyDedicated compliance leader in each businessIndependent AuditorsReport to BOD Audit Committeeauditors in Europe & globallyGlobal Ombudsperson NetworkIntake and resolve concernsMonitor trends/cases
16 GE’s policies are visible and user friendly 26 LanguagesHotlinks13 Policies in simple, reader-friendly languageReport Concerns & Access Resources
17 Data handlers are trained on their obligations Training andCommunication:For Data Handlers- authorized individuals who process employment dataHuman ResourcesInformation TechnologyManagersLegalSourcingMessages via:On-line coursesLive trainingWeb articles
18 Substantial guidance is provided to data handlers Business self-audit checklistsData protection FAQsCountry toolkitsCountry expertsLinks to external sitesPrivacy reviews before new systems are implemented
19 BCRs Benefit Companies and DPAs! Benefits for companies:Unified, global standardIn-house policy driven by/tailored to a company’s unique culture or business/compliance processesMore ability to communicate rules, values to employees (better than contracts or safe harbor)Benefits for DPAs:Simplified approval process for BCRFewer unique data processing approvals, if activity covered by BCRBetter awareness of data protection rights on part of individualIncreased and clarified role for DPAs in enforcing/approving BCRs of global companiesSome DPAs and the Commission are more pragmatic than others; some DPAs require contracts on top of the BCRs.
Your consent to our cookies if you continue to use this website.