GE’s Binding Corporate Rules: Achievements, Challenges and Solutions

Slides:

Advertisements

Similar presentations

Damon Greer Safe Harbor Program October 15, 2007

Advertisements

ETHICS AS CULTURE KEY ELEMENTS Stage One (primary) – Key Elements of a Culture of Ethics Appoint an ethics program manager to oversee your ethics-related.

Alabama Primary Health Care Association

[Imagine School at North Port] Oral Exit Report Quality Assurance Review Team School Accreditation.

Using public procurement to foster research and innovation More Research and Innovation COM(2005) 488 of 12 October 2005 Commission communication to the.

International Aid Transparency Initiative Some Code of Conducts TAG meeting Brussels, 3 June 2009.

No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman

1 Compliance Responsibilities: National Service Criminal History Checks Corporation for National and Community Service Office of Grants Management, Washington,

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Industry Outreach November 18th, 2005 Ministry of Economy, Trade and Industry (METI) Japan.

The Managing Authority –Keystone of the Control System

Joint presentation by respective units in DGs AGRI, EMPL and REGIO IPA Components III, IV and V: Conditions for successful preparation and absorption of.

1 National Police Board 16 September 2009 Elisabeth Styf President ECIIA Chief Audit Executive for the Swedish Police Service 21 police authorities, the.

EU Personal Data Transfers: The Perspective of a Friendly U.S. Harborite And AMCHAM EU Member Christopher Foster Assistant General Counsel, Data Privacy.

Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.

HIPAA AWARENESS TRAINING

Gaining Senior Leadership Support for Continuity of Operations

School Leadership that Works:

Company Code of Conduct. 1.Commercial sustainability by caring for our stakeholders Profits for Sustainable Growth Our Stakeholders: –Customers, trade.

WP6: Dissemination and exploitation Vladimir Meglič.

IBM Corporate Environmental Affairs and Product Safety

EMS Checklist (ISO model)

A brief for top management Prepared by the Institute of Quality Assurance Integrated Management Special Interest Group Future management is integrated.

Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

Effective Contract Management Planning

1 Trade facilitation: Benefits and Capacity Building for Customs UNECE International Forum on Trade Facilitation, May 2003 Kunio Mikuriya Deputy.

January 10, 2008www.infosecurity.ca.gov/1 Role, Responsibility and Authority of New Office Presented by Colleen Pedroza, State Chief Information Security.

Basel Committee Guidance on Corporate Governance for Banks

Veterans Employment Toolkit Veterans in the Workplace Training Series This material was generated by Corporate Gray and The Burton Blatt Institute at Syracuse.

How to commence the IT Modernization Process?

Internal Control–Integrated Framework

CUPA-HR Strong – together!

CUPA-HR Strong – together!

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

© 2004 Dechert LLP FORM N-CSR, CERTIFICATIONS AND DISCLOSURE CONTROLS AND PROCEDURES James F. DesMarais, Esq. MFS Investment Management Brian S. Vargo,

Internal Control and Control Risk

© Prentice Hall CHAPTER 15 Managing the IS Function.

Building an EMS Database on a Company Intranet By: Nicholas Bollons Sally Goodman.

Auditing Governance Functions

Confidential & Proprietary to Cooper Compliance Corporation Revised September 8, 2014 AUDiT-READY TM.

Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &

International Federation of Accountants International Education Standards for Professional Accountants Mark Allison, Executive Director Institute of Chartered.

PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.

SAFA- IFAC Regional SMP Forum

Supplier Ethics: Program Checklist

Trinidad & Tobago Corporate Governance Code 2013

Internal auditing for credit unions Nuala Comerford, Chair IIA Irish Region Committee Pamela McDonald Council Member IIA Credit Union Summer School Thursday,

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Developing an Effective Ethics Program

Contract & Commercial Management - the seller side Christian Sandbeck 20 nd October 2009.

BPK Strategic Planning: Briefing for Denpasar Regional Office Leadership Team Craig Anderson Ahmed Fajarprana August 11-12, 2005.

Advancing Cooperative Conservation. 4C’s Team An interagency effort established in early 2003 by Department of the Interior Secretary Gale Norton Advance.

1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.

April 2008 Global Developments in Corporate Reporting Charles Tilley Chartered Institute of Management Accountants Chief Executive Global Developments.

Item 5d Texas RE 2011 Budget Assumptions April 19, Texas RE Preliminary Budget Assumptions Board of Directors and Advisory Committee April 19,

Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.

G:\99Q3\9220\PD\AJD2.PPT 1 Harriet P. Pearson Chief Privacy Officer IBM February 7, 2003 IBM.

Implementing an Effective Global Anti-Bribery Program Implementing an Effective Global Anti-Bribery Program Elaine Murphy, MBA Director Health Care Compliance.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

Principle #4 – Ethical Staff Behavior This presentation is made possible by the Smart Campaign

The Privacy Symposium August 22, 2007 ©2007. Goodwin Procter LLP The Ethics and Responsibilities of a Privacy Professional.

Mr Mirco Barbero European Commission, IAS.C1

Presentation transcript:

GE’s Binding Corporate Rules: Achievements, Challenges and Solutions Nuala O’Connor Kelly Chief Privacy Leader General Electric Company Nuala.o’connorkelly@ge.com

Six Businesses, Each with a Number of Business Units Aligned for Growth Infrastructure Commercial Finance Industrial Note: This is one slide that can be used instead of the individual slides for each business. GE’s six businesses are organized to serve customers, be they industries, markets, even countries. Commercial Finance Insurance • Leasing • Real Estate • Corporate Financial Services • Healthcare Financial Services Infrastructure Oil & Gas • Energy • Rail • Aircraft Engines • Water • Energy Financial Services • Aviation Financial Services Industrial Consumer & Industrial • Equipment Services • Plastics • Silicones/Quartz • Security • Sensing • Fanuc • Inspection Technologies Healthcare Diagnostic Imaging • Clinical Systems • Information Technology • Services • Bio Sciences Consumer Finance Europe • Asia • Americas • Australia/New Zealand NBC Universal Network • Stations • Entertainment • Universal • Sports/Olympics Healthcare NBC Universal GE Money

Meeting Global Challenges Population / Demography Resource Management Technology Innovation Knowledge Flows Global Integration Conflict & Security Institutional Governance Personalized Healthcare Philanthropy Renewables Nuclear Water/Desal Clean Coal H Turbine Engine Evolution Locomotive Global Research Centers NBCU Services in WTO/FTAs Energy Healthcare Financial Services Container Security Explosive Detection Transparency in Governance (Corp/Govt) Compliance Rigor Corporate Citizenship Mobilizing capital and resources. . . Bringing solutions through our customers. . . Leading with governments to find solutions. . .

A global company with operations in over 100 countries and 300,000+ employees 95,000+ employees in EMEA

The GE difference . . . Leadership commitment to integrity A culture of compliance supported by world-class systems: Policies Education & Training Communications Auditing & Control

GE Policies are the Foundation of GE’s Integrity 14 policies, including on privacy, outline GE’s core legal and ethical responsibilities GE’s global workforce commits to comply: New employees receive a copy of The Spirit and Letter handbook and acknowledge that they are required to comply with its policies Employees re-acknowledge commitment to S&L every 18 months Failure to comply can lead to termination of employment GE and controlled affiliates are also bound: “Subsidiaries and other controlled affiliates throughout the world must adopt and follow corresponding policies. A controlled affiliate is a subsidiary or other entity in which GE owns, directly or indirectly, more than 50% of the voting rights, or in which the power to control the entity is possessed by or on behalf of GE.”

BCRs Incorporated into GE Policy in 2003 Fair Employment Practices Policy (GE Spirit & Letter) Requires respect for “the privacy rights of employees by using, maintaining and transferring their personal data in accordance with applicable Company guidelines and procedures.” GE Employment Data Protection Standards (Binding Corporate Rules) Protects “Employment Data,” defined as “any information about an identified or identifiable person that is obtained in the context of the person’s working relationship with a GE entity.”

Today, GE’s BCRs Continue to Provide Strong, Global Data Protection Key Principles: Adduces adequate safeguards globally - a high, EU-like standard globally - plus stricter local laws prevail Key protections Transparency and fairness Purpose limitation Data quality Security Rights of access, rectification, objection Protections for onward transfer Enforcement Internal controls and audits Reporting channels for suspected violations Cooperation with Data Protection Authorities (DPA) Data subject right to seek remedy in home country Communication and training

Binding Corporate Rules: An Effective Compliance Approach for GE BCRs Consistent with GE’s compliance structure and practices Binding on GE entities and employees Harmonized global guidelines ensure a consistent, strong protection Policies are alive and visible to our employees Language is user-friendly and has been translated into many local languages for data handlers and employees around the world Company assumes responsibility for providing adequate safeguards for data Strong support for a privacy compliant culture from GE senior management Contracts: Complex administration with thousands of entities Complex language; not visible to data handlers or employees Safe Harbor: Covers only EU to U.S. transfers Does not cover GE’s financial services businesses

BCR Approval Process

BCR Approval Process: Prior to Coordinated Process GE sought recognition of its Standards as a BCR in each country; adopted by German DPAs in July 2003 Lessons Learned: Challenges for companies: Gaining individual approval by 28 EU/EEA countries was time- consuming Minor modifications suggested by individual DPAs triggered significant work: re-training of data handlers; revision of operating procedures; renegotiation with prior-approving DPAs Challenges for DPAs: Hard for DPAs to review BCRs and supporting documentation from many different companies

BCR Approval Process: Coordinated Process GE worked with UKIC as “lead authority” for coordinated approval of BCR (mid-2004 through present). As one of the first companies to undertake the BCR approval process, GE worked side-by-side with DPAs in a number of countries to facilitate approval. Lessons Learned: Significant effort required by Lead Authority (and UKIC was excellent!) Working collaboratively and transparently with DPA staff and commissioners was effective; in-person meetings essential – but the process took substantial time for GE, the UKIC and all DPAs GE resources (HR, Legal, Privacy, Compliance, Audit teams) heavily involved in demonstrating strong controls Process can work! GE has approvals in 13 countries; pending in 13 more

Managing Practical Implementation Regionally & Globally

Policy Compliance Review Board (PCRB) GE Privacy Structure Policy Compliance Review Board (PCRB) GE General Counsel Chief Privacy Leader Policy development Practice facilitator Poles US Privacy Leaders European Privacy Leaders Asian Privacy Leaders Corporate Employment Data Privacy Committee Global Privacy Council Corp Audit & Compliance Team Businesses Chief Privacy Leaders Data Protection Review Boards Senior HR/IT Leaders

A strong structure ensures daily compliance GE’s Policy Governance Structure Board of Directors Audit Committee Regular updates Policy Compliance Review Board (PCRB) Senior GE officers Policy oversight Business reviews Legal Organization lawyers in Europe & globally Dedicated compliance leader in each business Independent Auditors Report to BOD Audit Committee auditors in Europe & globally Global Ombudsperson Network Intake and resolve concerns Monitor trends/cases

GE’s policies are visible and user friendly 26 Languages Hotlinks 13 Policies in simple, reader-friendly language Report Concerns & Access Resources

Data handlers are trained on their obligations Training and Communication: For Data Handlers- authorized individuals who process employment data Human Resources Information Technology Managers Legal Sourcing Messages via: On-line courses Live training Web articles

Substantial guidance is provided to data handlers Business self-audit checklists Data protection FAQs Country toolkits Country experts Links to external sites Privacy reviews before new systems are implemented

BCRs Benefit Companies and DPAs! Benefits for companies: Unified, global standard In-house policy driven by/tailored to a company’s unique culture or business/compliance processes More ability to communicate rules, values to employees (better than contracts or safe harbor) Benefits for DPAs: Simplified approval process for BCR Fewer unique data processing approvals, if activity covered by BCR Better awareness of data protection rights on part of individual Increased and clarified role for DPAs in enforcing/approving BCRs of global companies Some DPAs and the Commission are more pragmatic than others; some DPAs require contracts on top of the BCRs.