What is BS 10012?
The Basics of BS 10012
BS 10012 is the British standard for Personal Information Management, and provides a framework for maintaining and improving compliance with data protection requirements and good practice.
It covers topics such as privacy impact assessment, risk assessments, data retention and disposal, privacy by design and employee awareness training; helping you to put policies and procedures in place to effectively manage the personal information of individuals.
Alignment with BS 10012
BS 10012:2017 provides the framework to implement a personal information management system around the principles of Data Protection (GDPR):
- Principle (a) Lawfully, fairly and transparently processed (Clause 8.2.6);
- Principle (b) Obtained only for specific legitimate purposes Clause 8.2.7);
- Principle (c) Adequate, relevant, limited in line with data limitation principles (Clause 8.2.8);
- Principle (d) Accurate and up to date, with every effort to erase or rectify without delay (Clause 8.2.9);
- Principle (e) Stored in a form that permits identification no longer than necessary (Clause 8.2.10);
- Principle (f) Ensure appropriate security, integrity and confidentiality of personal information using technological and organizational measures (Clause 8.2.11).
- General Accountability for the above
I already have an ISO certification, can I integrate BS 10012?
BS 10012:2017 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.
Who needs to be involved in BS 10012?
Do all my staff need to be involved in BS 10012?
Successful implementation is a team effort.
It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice. If this is secured, then everything else will flow from there.
In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.
All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!
Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client-related personal data they may be controlling in the business.
With BS 10012 – all personal data is captured and recorded to ensure that all risks are considered.
Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data. Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches. Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS 10012:2017
This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.