Companies should go through the following five steps if they choose to obtain BCR approval:
Step 1: Designate the lead EU data protection authority (“DPA”), i.e. the authority which will be handling the EU co-operation procedure among the other European DPAs.
Step 2: Draft and submit a BCR which meets the safeguards required by the Directive.
Step 3: The lead authority will start the EU cooperation procedure by circulating the draft BCR to the relevant DPA, i.e. of those countries from where entities of the group transfer personal data to entities located outside of the EU.
Step 4: The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged receipt of the BCR and those which are not under mutual recognition have determined that the BCR provides sufficient safeguards.
Step 5: When the draft BCR has been considered final by all concerned DPAs, the company requests authorization to transfer data on the basis of the adopted BCR.