The BMC Beat Blog

Taking Data Privacy Seriously in the Digital Era

4 locks
3 minute read
Richard Montbeyre

As customer data breaches continue to happen—and get larger and larger, customer privacy concerns are again front page news. It seems an opportune time to bring some good news to the table and announce that BMC has obtained binding corporate rules (BCRs) in the UK, in addition to the EU BCRs that we’ve held for almost a decade. Data privacy is no longer a nice to have. It’s a business imperative in today’s always-on digital world, and one that BMC takes very seriously.

What BCRs are

BCRs are a privacy compliance framework derived from European, and now, UK, privacy laws since the UK exited the EU. They are the permission and legal instrument given to global organizations by European and UK regulators to transfer data outside Europe in accordance with the EU General Data Protection Regulation (GDPR).

BMC extended our BCR certification from 2015 to satisfy the UK regulation post-Brexit. The new authorization applies both to our own data, like HR, finance, and procurement data, and most importantly, our customer data. Recent research shows us that more customers want to know what companies do with their information, and it’s becoming integral to their brand loyalty.

Why BCRs matter

According to the International Association of Privacy Professionals (IAPP) Privacy and Consumer Trust report, 64 percent of consumers surveyed said their trust is enhanced when companies provide clear information about their privacy policies. On top of that, the 2023 MediaMath Consumer Privacy Survey found that 65 percent of consumers said misuse of personal data would be the top reason they would lose trust in a brand.

By establishing BCRs in the UK and Europe, BMC assures customers that we are treating their data with the utmost care and attention to security. BCRs are special because they’re an explicit recognition by regulators that we have established a comprehensive compliance program not only in the EU and the UK, but across the board. Regulators consider BCRs the gold standard because they require a much more labor-intensive process to pursue than alternative legal instruments such as standard contractual clauses (SCCs), which are much easier to attain and are in use by most companies operating in Europe.

The number of companies that have obtained both EU and UK BCRs is extremely small (15 to date)—and BMC is the first US-based IT company to do so with such a comprehensive scope, applicable both to its own data (as a “data controller”), and to its customers’ data (as a “data processor”). Having both EU and UK BCRs is an official seal, validating that BMC is enforcing the same protections for handling and retaining our own data and our customers’ data in the 40 countries where we operate and wherever we transfer it.

Going the extra mile

Attaining the UK BCRs was a very collaborative effort across BMC and with our outside legal partners. We were required to assure regulators of a full governance framework, with a consistent level of compliance for our customer and vendor agreements, maintained with internal training and audits across the entire organization. As part of our submission process, we shared the very specific details and operational processes around personal data handling to demonstrate our compliance with the regulators’ obligations.

We have established internal data governance processes that span legal, information security (InfoSec), information systems and technology (IS&T), marketing, and procurement, as well as other departments, so that it has become embedded into the business. We have quarterly meetings with our executive leadership team, and conduct annual employee data privacy training.

There is also a special, expedited process for handling any customer privacy complaints. And we will keep the BCRs continuously updated, amending them regularly as needed and notifying regulators every year to inform them of any changes.

We are particularly aware and mindful of the important responsibility to secure data against threat, and to treat it in a manner that is not just compliant but also responsible and transparent to our customers and employees, so our BCRs are publicly available online here.

We’re proud to comply with both the EU and UK BCRs as part of the BMC commitment to deliver service excellence and support our environmental, social, and governance (ESG) initiatives. We have gone the extra mile to provide our customers with the highest, most recognized certification for privacy because privacy is a fundamental right and an essential duty for organizations in the digital era.

Corporate Social Responsibility Report

The BMC Corporate Citizenship and ESG Impact Report captures our annual activities as an organization, employer, and global workforce of over 6,000 in service of BMC's corporate social responsibility (CSR) strategy.


These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

Business, Faster than Humanly Possible

BMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation, operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead.
Learn more about BMC ›

About the author

Richard Montbeyre

Richard Montbeyre joined BMC in 2017 and serves as Chief Privacy Officer and Data Privacy Officer. He is responsible for BMC’s privacy program and monitors compliance with BMC’s Binding Corporate Rules (BCR) and implements privacy requirements, including EU General Data Protection Regulation (GDPR) and emerging regulations across the board.

He holds two Masters in Law from La Sorbonne and Panthéon-Assas Universities (Paris), and was admitted to the Paris Bar in 2008. He is CIPP/E and CIPM certified by the International Association of Privacy Professionals (IAPP) and holds a DPO certification, delivered by the French standardization organization (AFNOR).