As customer data breaches continue to happen—and get larger and larger, customer privacy concerns are again front page news. It seems an opportune time to bring some good news to the table and announce that BMC has obtained binding corporate rules (BCRs) in the UK, in addition to the EU BCRs that we’ve held for almost a decade. Data privacy is no longer a nice to have. It’s a business imperative in today’s always-on digital world, and one that BMC takes very seriously.

What BCRs are

BCRs are a privacy compliance framework derived from European, and now, UK, privacy laws since the UK exited the EU. They are the permission and legal instrument given to global organizations by European and UK regulators to transfer data outside Europe in accordance with the EU General Data Protection Regulation (GDPR).

BMC extended our BCR certification from 2015 to satisfy the UK regulation post-Brexit. The new authorization applies both to our own data, like HR, finance, and procurement data, and most importantly, our customer data. Recent research shows us that more customers want to know what companies do with their information, and it’s becoming integral to their brand loyalty.

Why BCRs matter

According to the International Association of Privacy Professionals (IAPP) Privacy and Consumer Trust report, 64 percent of consumers surveyed said their trust is enhanced when companies provide clear information about their privacy policies. On top of that, the 2023 MediaMath Consumer Privacy Survey found that 65 percent of consumers said misuse of personal data would be the top reason they would lose trust in a brand.

By establishing BCRs in the UK and Europe, BMC assures customers that we are treating their data with the utmost care and attention to security. BCRs are special because they’re an explicit recognition by regulators that we have established a comprehensive compliance program not only in the EU and the UK, but across the board. Regulators consider BCRs the gold standard because they require a much more labor-intensive process to pursue than alternative legal instruments such as standard contractual clauses (SCCs), which are much easier to attain and are in use by most companies operating in Europe.

The number of companies that have obtained both EU and UK BCRs is extremely small (15 to date)—and BMC is the first US-based IT company to do so with such a comprehensive scope, applicable both to its own data (as a “data controller”), and to its customers’ data (as a “data processor”). Having both EU and UK BCRs is an official seal, validating that BMC is enforcing the same protections for handling and retaining our own data and our customers’ data in the 40 countries where we operate and wherever we transfer it.

Going the extra mile

Attaining the UK BCRs was a very collaborative effort across BMC and with our outside legal partners. We were required to assure regulators of a full governance framework, with a consistent level of compliance for our customer and vendor agreements, maintained with internal training and audits across the entire organization. As part of our submission process, we shared the very specific details and operational processes around personal data handling to demonstrate our compliance with the regulators’ obligations.

We have established internal data governance processes that span legal, information security (InfoSec), information systems and technology (IS&T), marketing, and procurement, as well as other departments, so that it has become embedded into the business. We have quarterly meetings with our executive leadership team, and conduct annual employee data privacy training.

There is also a special, expedited process for handling any customer privacy complaints. And we will keep the BCRs continuously updated, amending them regularly as needed and notifying regulators every year to inform them of any changes.

We are particularly aware and mindful of the important responsibility to secure data against threat, and to treat it in a manner that is not just compliant but also responsible and transparent to our customers and employees, so our BCRs are publicly available online here.

We’re proud to comply with both the EU and UK BCRs as part of the BMC commitment to deliver service excellence and support our environmental, social, and governance (ESG) initiatives. We have gone the extra mile to provide our customers with the highest, most recognized certification for privacy because privacy is a fundamental right and an essential duty for organizations in the digital era.

BMC reached an important milestone in its journey and commitment to protect customer privacy in 2015, when we became the world’s first leading enterprise software solution provider to get approval from the European Union (EU) for our Data Privacy Binding Corporate Rules (BCR) both as a controller (where BMC collects data for its own benefit), and as a processor (where BMC processes data on its customers’ behalf). EU BCR are considered the world’s best-in-class standard of data protection to this date.

In this blog, we will discuss the additional measures BMC has put in place to keep delivering the highest level of protection to customer personal data in the context of the latest EU developments known as Schrems II.

What changed?

In July 2020, the European Court of Justice (ECJ) reminded global organizations that EU personal data needed to be protected, regardless of the location of such data, including if located in the EU, since the receiving party of such data is now of greater importance. The ECJ was specifically concerned about foreign public authorities and established the Schrems II ruling to prevent their unlawful access to EU personal data.

Organizations across the world accessing EU personal data are now required to implement further technical, organizational, and contractual measures to ensure they have an adequate level of protection.

BMC’s further commitments

To support compliance with the Schrems II ruling and prevent unlawful access to our customers’ personal data, BMC has implemented supplementary measures, which include:

– Restrictions to accessing data

BMC has a broad global distribution of personnel and data centers that allow customers to select the location of their data, dependent on their BMC offerings and services. BMC entities, all subject to the BCR, are used for general service operations such as backups, patching, and upgrades. In addition, automation is widely used, where possible, to prevent human effort.

– Data encryption

BMC offers a wide range of state-of-the-art data encryption options, both at rest and in transit, to protect data as it is stored and accessed. Decryption keys may be exclusively retained by the customer, again dependent on their BMC offerings and services.

– Customer support privacy policies

BMC supports data minimization and provides secure channels for customers to engage with BMC support resources, effectively limiting personal data sharing to that which is strictly necessary to perform our services.

– Transparency towards customers and competent authorities

According to our BCR policy and standard customer Data Processing Agreement (DPA), BMC will put any disclosure request from a public authority on hold and promptly notify the customer and the competent data protection authority. If prohibited from doing so, BMC will make its best effort, including using reasonable legal action (see below), to have the requesting body waive that prohibition. If unsuccessful, BMC will provide its competent supervisory authority with an annual report of such requests for disclosure to the extent BMC is authorized to do so.

– Challenging unlawful disclosure requests and reporting to data protection authorities

Whenever legally possible, BMC will challenge requests to disclose customer data under EU law and the laws of the requesting body, in accordance with our DPA.

This blog is provided as of the date of publication and is not to be considered as legal advice. For more details on BMC’s security and privacy positions, please visit the BMC Trust Center, check out our EU Personal Data Transfers Q&A, and contact your BMC representative.