Here are our 5 big takeaways from this story:
- First by the ICO – First Data is the first company to obtain authorisation for BCRs for Processors under the leadership of the UK’s Information Commissioner’s Office (“ICO“). The only other DPAs to have led a successful application for Processor BCRs are the Dutch DPA and the French CNIL.
- First payment processor – First Data is the only payments technology company to obtain such authorisation. First Data will no longer need to enter into model contracts with many of its clients, simplifying the contractual process. This should give it a competitive advantage in a marketplace that is increasingly sensitive to privacy issues.
- Dual approval – First Data is one of only five companies worldwide that has completed this rigorous process for information processed both as a Data Processor and as a Data Controller.
- 2 Year project - The Data Processor authorisation is the culmination of a two-year project. If you are considering making an application, this is a guide to the timescales you should be expecting (although this was the first application and the process may be streamlined).
- Easier for Data Controllers – The BCRs approval will open the door to a streamlined process for Data Controllers wanting to rely on the BCRs to enable their data to be shared across borders.