Taking data privacy seriously in the digital era

By Richard Montbeyre, Chief Privacy Officer, BMC Software.

  • Friday, 17th May 2024 Posted 6 months ago in by Phil Alsop

As customer data breaches continue to happen—and get larger and larger, customer privacy concerns are again front page news. It seems an opportune time to bring some good news to the table and announce that BMC has obtained binding corporate rules (BCRs) in the UK, in addition to the EU BCRs that we’ve held for almost a decade. Data privacy is no longer a nice to have. It’s a business imperative in today’s always-on digital world, and one that BMC takes very seriously.

BCRs are a privacy compliance framework derived from European, and now, UK, privacy laws since the UK exited the EU. They are the permission and legal instrument given to global organisations by European and UK regulators to transfer data outside Europe in accordance with the EU General Data Protection Regulation (GDPR).

BMC extended our BCR certification from 2015 to satisfy the UK regulation post-Brexit. The new authorisation applies both to our own data, like HR, finance, and procurement data, and most importantly, our customer data. Recent research shows us that more customers want to know what companies do with their information, and it’s becoming integral to their brand loyalty.

Why BCRs matter According to the International Association of Privacy Professionals (IAPP) Privacy and Consumer Trust report, 64 percent of consumers surveyed said their trust is enhanced when companies provide clear information about their privacy policies. On top of that, the 2023 MediaMath Consumer Privacy Survey found that 65 percent of consumers said misuse of personal data would be the top reason they would lose trust in a brand.

By establishing BCRs in the UK and Europe, BMC assures customers that we are treating their data with the utmost care and attention to security. BCRs are special because they’re an explicit recognition by regulators that we have established a comprehensive compliance program not only in the EU and the UK, but across the board. Regulators consider BCRs the gold standard because they require a much more labour-intensive process to pursue than alternative legal instruments such as standard contractual clauses (SCCs), which are much easier to attain and are in use by most companies operating in Europe.

The number of companies that have obtained both EU and UK BCRs is extremely small (15 to date)—and BMC is the first US-based IT company to do so with such a comprehensive scope, applicable both to its own data (as a “data controller”), and to its customers’ data (as a “data processor”). Having both EU and UK BCRs is an official seal, validating that BMC is enforcing the same protections for handling and retaining our own data and our customers’ data in the 40 countries where we operate and wherever we transfer it.

Going the extra mile

Attaining the UK BCRs was a very collaborative effort across BMC and with our outside legal partners. We were required to assure regulators of a full governance framework, with a consistent level of compliance for our customer and vendor agreements, maintained with internal training and audits across the entire organisation. As part of our submission process, we shared the very specific details and operational processes around personal data handling to demonstrate our compliance with the regulators’ obligations.

We have established internal data governance processes that span legal, information security (InfoSec), information systems and technology (IS&T), marketing, and procurement, as well as other departments, so that it has become embedded into the business. We have quarterly meetings with our executive leadership team, and conduct annual employee data privacy training.

There is also a special, expedited process for handling any customer privacy complaints. And we will keep the BCRs continuously updated, amending them regularly as needed and notifying regulators every year to inform them of any changes.

We are particularly aware and mindful of the important responsibility to secure data against threat, and to treat it in a manner that is not just compliant but also responsible and transparent to our customers and employees, so our BCRs are publicly available online here.

We’re proud to comply with both the EU and UK BCRs as part of the BMC commitment to deliver service excellence and support our environmental, social, and governance (ESG) initiatives. We have gone the extra mile to provide our customers with the highest, most recognised certification for privacy because privacy is a fundamental right and an essential duty for organisations in the digital era.

By Kashif Nazir, Technical Manager at Cloudhouse.
By Terry Storrar, Managing Director at Leaseweb UK.
By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
By Peter Hayles, Product Marketing Manager at Western Digital.
By Richard Eglon, CMO, Nebula Global Services.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical Informatics at Chronic Care Staffing, explore practical...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist – Business and Technology, Trudy Darwin Communications.
By Krishna Sai, Senior VP of Technology and Engineering.