What is a privacy compliance framework?
The DPA (Data Protection Act) 2018 and UK GDPR (General Data Protection Regulation), and the EU GDPR require organisations to implement “appropriate technical and organisational measures” to secure the personal data they process.
They must also follow the accountability principle. This means being responsible for, and able to demonstrate their compliance with, the Regulation’s data processing principles.
This can best be achieved via a privacy compliance framework: a formal structure for managing the security of personal data.
If your organisation has not developed its own privacy compliance framework, there are currently two standards that you can use to ease your path to GDPR compliance: BS 10012:2017 and ISO/IEC 27701:2019.
Implementing these standards – and, where possible, achieving independently accredited certification – will demonstrate to regulators such as the UK’s ICO (Information Commissioner’s Office) that you have carried out due diligence and are doing all you can to comply with the law.
UK data protection law is currently being revised. We are following the progress of the Data Protection and Digital Information (No.2) Bill through parliament and will keep you updated on how it might affect your data processing obligations.
BS 10012 PIMS (personal information management system)
BS 10012:2017 is a revised version of the original BS 10012:2017 specification for a Personal Information Management System (PIMS), which sets out the requirements for how organisations can effectively manage and protect personal data. The revision includes updates to take account of the EU General Data Protection Regulation (GDPR).
It provides a well-defined structure for managing data protection and is designed to follow the PDCA (plan-do-check-act) cycle to ensure continual improvement.
Find out more about the BS 10012:2017 standard
ISO 27701 PIMS (privacy information management system)
Certification to ISO 27001 – the international standard for an ISMS (information security management system) – demonstrates that your organisation follows information security best practice.
ISO/IEC 27701:2019 is an extension to ISO 27001 that enables organisations to account for privacy management – including their processing of personal data – in their security management activities.
Like an ISO 27001-compliant ISMS, an ISO 27701 PIMS advocates a risk-based approach, ensuring the security controls you implement are appropriate to the risks your organisation faces.
Find out more about the ISO/IEC 27701:2019 standard
What is the difference between BS 10012 and ISO 27701?
Both standards set out the requirements for a management system designed to secure the processing of personal data.
BS 10012 is aligned with the GDPR and UK DPA (Data Protection Act) 2018, so if you need to comply with those laws only, the British standard will suit your purposes.
ISO 27701, on the other hand, avoids aligning with any one specific data protection regime, which gives it much wider potential application. If you process personal data that is covered by another data privacy law, or a number of differing laws, then ISO 27701 may be a better fit for your organisation.
Likewise, if you already have an ISO 27001-compliant ISMS in place, or are in the process of implementing one, ISO 27701 makes much more sense as the two management systems are designed to be integrated.