Privacy Compliance Framework
A privacy compliance framework provides a structure for managing personal data that an organisation can use to comply with the GDPR (General Data Protection Regulation).
Organisations that have not developed their own privacy compliance frameworks can use a standardised framework to ease their path to GDPR compliance.
Meanwhile, organisations that do have privacy compliance frameworks can obtain certification to national and international standards to demonstrate to regulators that due diligence and compliance efforts have been made.
Standardised compliance frameworks
The three key areas of a privacy compliance framework combine an accountability framework, compliance with the data protection principles and management systems.
There are currently two recognised standards or frameworks that could be used as part of a privacy compliance framework to demonstrate GDPR compliance: a BS 10012:2017 personal information management system (PIMS) and an ISO 27001:2013 information security management system (ISMS).
Personal information management system (PIMS)
BS 10012:2017 is the British standard that specifies the requirements for a personal information management system (PIMS), and is aligned with the requirements of the GDPR.
It provides a well-defined structure for managing data protection, and is designed to follow the plan-do-check-act cycle (PDCA) to ensure continual improvement.
Find out more about the BS 10012:2017 specification >>
Information security management system (ISMS)
Certification to ISO 27001 demonstrates that your company follows information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected. Internationally recognised, it is sector-agnostic, does not favour any one technology or solution, and can be used by organisations of any size.
The ISO 27001 risk-based approach to implementing information security controls is an excellent approach to meeting the GDPR requirement that organisations implement appropriate technical and organisational controls to ensure the “confidentiality, integrity and availability” of processing systems and services.
Find out more about the ISO 27001: 2013 standard >>