The creators of isology®

isology® is a world-leading proven step by step roadmap to achieve ISO certification.

Implemented for over 600 organisations with a 100% success rate, we take you from the planning and creation of your bespoke ISO System though to certification with our 7 step process.

Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control, anywhere in the world.  You have no way of knowing all the places where your company data is stored, or where it’s been transmitted. This is a breach of the Data Protection Act 2018 and GDPR; for which there are fines for companies and individuals of anything up to £18m.

It could be argued that there is a potential breach of the Computer Misuse Act 1990 as the information that should have been held on a company laptop and in company servers has been found in an employee’s system.

A personal email account is open to searches that are not permitted by the business and not covered by your company’s security policies; because employees may have agreed to Gmail/Hotmail Terms and Conditions (which allow for email content searches), to allow targeted advertising. You may have a good data privacy policy in place, but personal email accounts can bypass it with one click of the “Send” button. Again, you will be in breach of the Data Protection Act 2018.

Understanding the risks and implications of using personal accounts for business is not always apparent until there are Freedom of Information requests, internal investigations, or eDiscovery.  In all these cases, those personal accounts may contain relevant information and as such have to be offered-up for search and retrieval. This is a breach of the Freedom of Information Act 2000

Even the act of discovery is difficult – Personal emails are not discoverable in standard legal discovery procedures. Google for example prohibits external scanning of users’ emails (several cases are currently under way), meaning the company will have to instruct the user to scan his or her email themselves and runs a big risk of spoliation sanctions.  If the issue is regulatory, the company is likely to be found to be breaking the Law.

If there is a serious security incident that requires a legal investigation the police and courts can take measures to seize both business and private employee IT equipment, under the Police and Criminal Evidence Act 1984 if there is a chance that evidence has held on any equipment used in the course of business. The chances of getting equipment back is very slim as it is often bonded and retained as part of a criminal investigation.

Furthermore, the company can be facing a lawsuit under the Police and Criminal Evidence Act 1984 if it is deemed that evidence has been withheld because of the company not being able to access information no longer in their control on employee PCs or legal cases could fail as there would be serious doubt about the integrity of the evidence being presented and a Judge may consider the evidence to be inadmissible.

Any employee in a business sending personal/personnel information to their personal e-mail addresses automatically breaches the Data Protection Act 2018 and GDPR, and is subject to the same enforcements under the ICO which might results in heavy fines.

In short, sending an e-mail to a personal account, or using a personal account for business use is a legal minefield that is not worth traversing either as a business or employee as the damage to reputation can never be repaired.

If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).

If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Banner image - Top Tips on implementing BS 10012 to meet GDPR requirements

BS 10012 is a British standard that outlines the specifications for a Personal Information Management System (PIMS). This was introduced in 2009 to help organisations manage personal information and comply with data protection laws. 

The standard was updated in 2017 to reflect the GDPR’s requirements, making it an ideal framework for regulatory compliance. For example, it includes specific guidance on each principal, helping organisations meet the requirements of BS10012 and GDPR. 

After implementing BS 10012 for a number of organisations, here are our Top tips on implementing BS 10012.

  • Establish a PIMS team – this is not a one-person job.  You will need to have input from all areas that are involved with personal data.
  • Carry out a Privacy Impact Assessment – It is important to understand where all the personal identifiable data is within the organisation, how it is collected and how it is disposed.  (remember this is all Data – soft and hard copies – get in to all the drawers and cupboards)
  • Data mapping – collate the information on a data matrix, this would show all the information in one place.
  • Carry out a risk assessment – the data matrix will flag up any risks that need addressing
  • Update documentation – Ensure all documents are updated i.e data protection policies, cookie policy and privacy policy.
  • Training, training and more training – people are the weakest link, ensure ALL staff have had BS 100012 training
  • Conduct Internal Audits – to verify compliance and check your systems are effective. 

Implementing a PIMS can be challenging so if you would like assistance please contact us for further information on: enquiries@blackmoresuk.com

What’s the difference between BS 10012 and GDPR?

The General Data Protection Regulations (GDPR) are the requirements for data protection across the EU, laid down in law; therefore, every organisation that controls or processes personal data is legally obliged to comply with the requirements and must be able to demonstrate the application of data protection principles.

BS 10012:2017 is a Standard – a framework –  to assist organisations in meeting the legal obligations laid out in the GDPR Articles and Recitals.  Not only does BS10012:2017 address all the operational requirements of GDPR within Clauses 5 – 8, it also addresses how businesses can ensure they align their data protection responsibilities within the overall strategy of the business through context, leadership and continual improvement.  But more importantly, it ensures ongoing compliance to GDPR.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR nor BS10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

The Basics of BS 10012

BS 10012 is the British standard for Personal Information Management, and provides a framework for maintaining and improving compliance with data protection requirements and good practice.

It covers topics such as privacy impact assessment, risk assessments, data retention and disposal, privacy by design and employee awareness training; helping you to put policies and procedures in place to effectively manage the personal information of individuals.

Alignment with BS 10012

BS 10012:2017 provides the framework to implement a personal information management system around the principles of Data Protection (GDPR):

  • Principle (a) Lawfully, fairly and transparently processed (Clause 8.2.6);
  • Principle (b) Obtained only for specific legitimate purposes Clause 8.2.7);
  • Principle (c) Adequate, relevant, limited in line with data limitation principles (Clause 8.2.8);
  • Principle (d) Accurate and up to date, with every effort to erase or rectify without delay (Clause 8.2.9);
  • Principle (e) Stored in a form that permits identification no longer than necessary (Clause 8.2.10);
  • Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures (Clause 8.2.11).
  • General Accountability for the above

I already have an ISO certification, can I integrate BS 10012?

BS 10012:2017 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012?

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client-related personal data they may be controlling in the business.

With BS 10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS 10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How much work is involved in implementing BS10012

Neither GDPR or BS 10012 alignment happens without input or effort.  Both require action and top level commitment from a business.  There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

Gone are the days when a simple communicated Data Protection policy and registration with the Information Commissioner would suffice for Data Protection compliance.   One of the biggest changes is the ‘accountability’ principle underpinning the six other principles.   You now need to be able to prove you have applied all the principles within your business.

Over and above just the basic principles, you should be striving to:

  • Demonstrate that you understand what personal data you control or process,
  • Identify the legal basis for processing
  • Demonstrate the steps you have taken to understand and control/mitigate risk
  • Communicate requirements to interested parties
  • ‘Bake in’ Data Protection within your organisation (including required processes and review of planned/unplanned changes)
  • Review performance and strive for continual improvement.

When you consider the potential consequences of getting any of this wrong – 4% of global annual revenue or €20M whichever is greater – why wouldn’t you take the best practice approach and implement BS 10012?

Can I implement BS 10012 instead of GDPR

Yes. BS 10012 incorporates all the requirements of GDPR, but the key benefit is that it drives ongoing review and improvement of controls implemented to manage these requirements – now and thereafter.
Neither GDPR or B S10012 alignment happens without input or effort. Both require action and top level commitment from a business. There is no ‘off the shelf’ magic answer as every business is different, with its own processes, people, clients and suppliers – all of which generate personal data that needs to be effectively managed within a business.

How will BS 10012 add value to my business?

By implementing and certifying your business against BS 10012:2017, you will be able to demonstrate some clear advantages over your competitors:

  • Commitment to protecting client and stakeholder personal data – independently assessed by a 3rd party certification body
  • Identify risks to personal information and implement controls to mitigate them – reducing risk for both your organisation, and any clients whose personal data you may process
  • Utilise a management system to actively demonstrate compliance with both the GDPR and the revised UK Data Protection Act
  • Continually improve your management of personal data against recognised best practice and improved controls
  • Proactively protect your reputation – both in the market and to your interested parties
  • Achieve competitive advantage when tendering for new business

Running a successful business is all about reducing risk wherever possible (BS 10012 is a risk-based standard) and seeking opportunities to improve on the competition (BS 10012 certification sets you apart from mere internal GDPR ‘compliance statements’).

You can confidently state that you have credible 3rd party assurance that you are meeting your data protection obligations under GDPR – through certification to BS 10012 with a recognised certification body such as ISOQAR, BSI, LRQA, SGS etc.

Will ISO 27001 make me GDPR compliant?

ISO27001 v BS 10012

On its own No – this is a myth.

Information security is just one of Six principles of BS10012 and GDPR

 “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).

 

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.

With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.


What is BS 10012?

Any organisation that processes personal information should ensure that it protects the privacy of the people it affects.

BS 10012 provides a framework for maintaining and improving compliance with data protection requirements and good practice.

This webinar washeld on the 16th March at 12pm-12:45pm. This webinar will covers the following:-

  • What is BS10012:2017?
  • What’s the difference between BS10012 and GDPR?
  • How will BS10012 add value to my business?
  • What is the best approach to implementing BS10012?
  • Who needs to be involved?
  • Is BS10012 certification recognised?
  • How Blackmores can help you to achieve BS10012 certification
ISOlogist logo

Consultancy service

Let us do it for you

ISOlogy hub logo

Online membership

DIY with our isology Hub

About Blackmores

Our 7 Steps to Success

The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.

Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!

What our clients have to say

The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.

Kalil Vandi

“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”

David Gibson

Photon Lines Ltd

“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year.  We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”

Mandy Welsby

Jaama Ltd

“We have been extremely impressed with the service and support provided by Blackmores.  There knowledge and assistance through out our ISO journey has been amazing!”

Philip Hannabuss

Dome Consulting

“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”

Phil Geens

Kingsley Napley

“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”

dotdigital

Trusted by leading organisations across all sectors, we support companies of all sizes in any location.

Are you ready to start your ISO journey?

     
ISO Show

Listen to our Podcast

Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.

Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.

     

Carbonology logo

Ready to go carbon neutral... And achieve ISO Standards?

Welcome to Carbonology®

The proven method for achieving your carbon goals, aligned with ISO 14064 (carbon verification) and PAS 2060 (carbon neutrality)

Blackmores Carbon Neutral       Blackmores Carbon Footprint