Binding corporate rules and conclusion
Binding corporate rules (BCRs) can support an accountability framework. Sometimes called the gold standard of global data protection, they are a single set of binding and enforceable rules letting a corporate group move personal data freely between its worldwide entities while all members keep the same high level of protection. Originally created by the European Commission for cross-border transfers, they are now in Article 47. They earn 'gold standard' status because a company must demonstrate its whole compliance framework on application to its lead DPA, which then monitors ongoing compliance. They have proven laborious to obtain. Overall accountability is achieved by building a genuine culture of data protection.
Binding corporate rules are a privacy framework/code implemented by a corporate group. They let personal data move freely between group entities worldwide while ensuring all members keep the same high level of protection via a single set of binding and enforceable rules. The European Commission first created them to facilitate cross-border transfers; they now sit in Article 47.
To use BCRs a company must demonstrate its entire privacy compliance framework on application to its lead DPA. If approved, the lead DPA monitors ongoing compliance. The framework must show a policy is in place, staff are trained, a compliance owner is appointed, audits run, complaints are handled, and transfers are transparent. Obtaining BCRs has proven laborious.
Conclusion: accountability is achieved by building a genuine culture of data protection - appropriate policies, embedded standards, privacy considered during product development, a clear picture of processing activities, risk assessment and minimisation, and every employee understanding their role.