The EU GDPR (General Data Protection Regulation) hasn’t been around for long but we’re already seeing a huge increase in reported data breaches to the ICO (Information Commissioner’s Office). In the past two years, the number of reported data breaches has risen by 75%.
Data breaches can wreak havoc, leaving organisations facing fines and reputational damage – and forcing them to admit that their personal data wasn’t secure after all.
Now there’s an opportunity to do something about it
BS 10012 is the new kid on the block. It’s a British standard that lays out the specifications and requirements for a PIMS (personal information management system). The 2017 version has been specifically designed to help organisations implement processes, policies and controls for GDPR compliance. BS 10012 also supports the effective management of risks related to personal data.
Why use BS 10012?
The ICO states that certification to approved standards and codes of conduct is a way of demonstrating that you have adopted a systematic and comprehensive approach to GDPR compliance, in line with the accountability principle.
Certification to schemes and frameworks can also help you demonstrate transparency and accountability, reduce the risk of a data breach and provide mitigating evidence in the event of a breach.
Is conformance to BS 10012 sufficient for overall GDPR compliance?
Although it covers a massive amount of ground to support compliance, BS 10012 is not a complete model for GDPR compliance. It offers a structured approach to managing your obligations under the Regulation, but it doesn’t offer specific guidance on, for instance, the technical and organisational measures required under Article 32 of the GDPR. Organisations will need to rely on other sources of information, such as ISO 27001, the information security standard.
A management system like any other
If you’re familiar with ISO 27001, you’ll be pleased to know that BS 10012 is aligned with Annex SL and already supports other ISO standards. This means that if you’ve implemented another management system standard, you’ll be able to easily incorporate BS 10012 into your existing management system without too much effort.
Although as yet no accredited certification scheme for BS 10012 exists, organisations could consider incorporating BS 10012 controls into their ISMS (information security management system) when seeking ISO 27001-accredited certification – which is exactly what IT Governance recently did in a world first.