What is BS 10012?
BS 10012 is a British standard that outlines the specifications for a PIMS. The framework has been developed to help organisations comply with the data protection requirements imposed by laws such as the EU’s GDPR (General Data Protection Regulation).
Buy your copy of BS 10012 today
What are the benefits of a PIMS?
A PIMS supported by BS 10012 upholds the principles of the GDPR and offers reassurance to stakeholders that personal data is managed in line with best practice.
- Demonstrate compliance with the GDPR and other data protection laws.
- Improve structure and focus of data privacy management.
- Embed personal data management in your organisation’s culture.
- Take a risk-based approach to data privacy management.
- Encourage continual improvement to adapt to changes inside and outside the organisation.
- Integrate with other leading standards for total GDPR compliance such as ISO 27001.
How to implement a PIMS
Implementing a management system requires a structured approach and involves the entire organisation.
Here are the key steps to meet the requirements of BS 10012
- Identify the requirements of stakeholders of the PIMS.
- Scope the PIMS to ensure all relevant areas are covered.
- Establish a project team and project leader.
- Involve top leadership and obtain their support.
- Develop PIMS objectives and draw up a PIMS policy.
- Build the necessary competence to implement and manage the PIMS.
- Undertake data inventory and data flow mapping exercises.
- Set up a process for establishing the legal basis for processing PII (personally identifiable information).
- Create PIAs (privacy impact assessments) and risk management structures.
- Establish a programme to incorporate privacy by design.
- Undertake staff awareness programmes.
- Develop the necessary PIMS policies and procedures, including processes for consent, subject access requests and data breaches.
- Introduce a process for sharing, storing, disposing and transferring data.
- Establish a continually improvement programme.
- Undertake an internal audit.
- Apply for certification (voluntary).
Certification to BS 10012
Organisations can use BS 10012 simply as a framework for good practice. Article 42 of the GDPR, however, encourages the use of independent certification schemes to demonstrate compliance. A PIMS certified to BS 10012 delivers an independent assessment of the organisation’s personal data management practices and enables organisations to prove that they have taken necessary and reasonable measures to comply with the GDPR. Whilst BS 10012 is not a complete model for GDPR compliance this PIMS will help to protect your organisation from personal data breaches and prove your credentials to partners, clients and your employees.
Achieve full GDPR compliance with BS 10012 and ISO 27001
Certifying to the international information security management standard (ISO 27001) in conjunction with BS 10012 enables organisations to not only demonstrate compliance with the privacy elements of the GDPR (and similar laws), but also the information security requirements (referred to as the technical and organisational measures required by Article 32).
BS 10012 has been developed in line with international management system standards such as ISO 27001 to eliminate duplication of standard practices.
If you're looking for guidance or support, we're here to help.
How IT Governance can help you comply
IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations globally address the challenges of EU GDPR compliance.