BS 10012: 2017 Certification and its integration of GDPR Compliance Requirements

Basics

BS 10012 is the British standard for Personal Information Management System (PIMS), and offers a framework for maintaining and improving compliance with data protection requirements and best industry practices. It deals with privacy impact assessments, privacy by design and default, employee awareness training, risk assessments and enables you to put procedures and policies in place to properly manage the personal information of data subjects. 

It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals.

Additionally, BS 10012 provides the framework to implement a personal information management system around the principles of Data Protection (GDPR) and they have been mapped as such. View the Attached Document in the Email for further clarification. 

• Principle (a) Lawfully, fairly and transparently processed;
• Principle (b) Obtained only for specific legitimate purposes (Clause 8.2.7);
• Principle (c) Adequate, relevant, limited in line with data limitation principles (Clause 8.2.8);
• Principle (d) Accurate and up to date, with every effort to erase or rectify without delay (Clause 8.2.9);
• Principle (e) Stored in a form that permits identification no longer than necessary (Clause 8.2.10);
• Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures (Clause 8.2.11).
• General Accountability for the above

Since BS 10012 follows the ‘Plan-Do-Check-Act’ continuous improvement model, it helps organizations, irrespective of size, ensure compliance on a regular basis. It also allows integration of ISO certifications as it is aligned with ISO Annex SL, and other standards notably ISO/IEC 27001:2013 and ISO 9001 which is the global standard for information security.

 Method of Implementation 

There are certain steps that need to be taken to meet the requirements of BS 10012

• Identify the requirements of stakeholders of the PIMS.
• Scope the PIMS to ensure all relevant areas are covered.
• Establish a project team and project leader.
• Involve top leadership and obtain their support.
• Develop PIMS objectives and draw up a PIMS policy.
• Build the necessary competence to implement and manage the PIMS.
• Undertake data inventory and data flow mapping exercises.
• Set up a process for establishing the legal basis for processing PII 
• Create PIAs and risk management structures.
• Establish a programme to incorporate privacy by design.
• Undertake staff awareness programmes.
• Develop the necessary PIMS policies and procedures, including processes for consent, subject access requests and data breaches.
• Introduce a process for sharing, storing, disposing and transferring data.
• Establish a continually improvement programme.
• Undertake an internal audit.
• Apply for certification (voluntary).

Achieving Total Compliance

Organisations can use BS 10012 simply as a framework for good practice. Article 42 of the GDPR, however, encourages the use of independent certification schemes to demonstrate compliance. Whilst BS 10012 is not a complete model for GDPR compliance this PIMS will help to protect your organisation from personal data breaches and prove your credentials to partners, clients and your employees. To prevent the duplication of standard practices, certifying to the ISO 27001 in conjunction with BS 10012 enables organisations to not only demonstrate compliance with the privacy elements of the GDPR (and similar laws), but also the information security requirements (referred to as the technical and organisational measures required by Article 32).