Standard for data protection revised to address ever-increasing threats to personal information

Business standards company the British Standards Institution (BSI) has updated its standard for data protection. BS 10012:2017 Data Protection – Specification for a Personal Information Management System was developed to provide Best Practice guidance for those leaders responsible for the management of personal information.

The revised British Standard is applicable to organisations of all sizes and sectors and specifies the requirements for an organisation to adopt a personal information management system (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection requirements.

The British Standard is also intended to provide clear guidance for internal and external assessors on assessing compliance with data protection requirements.

Changes from the 2009 version of BS 10012 include a new definition of personal and sensitive data, restrictions on profiling using personal data and new administrative requirements for data privacy officers.

Data written under a pseudonym is now specifically covered, and there are stricter requirements for consent for processing. BS 10012 also takes into account a change in the law to cover data processors.

Implementing BS 10012 will support many organisations in their adoption of an appropriate information governance strategy. Information governance is a set of multi-disciplinary structures, policies, procedures and processes taken to manage information. Information governance supports an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.

Strategy for handling personal information

Anne Hayes, head of governance and resilience at the BSI, said: “BS 10012 will provide organisations with structured guidance on implementing a common sense strategy designed to handle personal information as securely as possible. It will also afford confidence among employees at all levels of an organisation that decision-makers take the ‘hot button’ issue of data security seriously.”

Hayes added: “Data protection remains a leading concern for organisations of all shapes and sizes as well as members of the public at large. BS 10012 addresses these concerns.”

Many of the changes in the latest version of BS 10012 have been written in full recognition of the European Union’s General Data Protection Regulation (GDPR), which was written into law on 14 April last year. The GDPR will be directly applicable to the UK and EU Member States as of 25 May 2018.

Key organisations involved in the development of BS 10012 have included the Information Commissioner’s Office, the National Association of Data Protection Officers, the Data Protection Forum, the Department for Culture, Media and Sport, the International Association of Privacy Professionals, the Information and Records Management Society, the British Computer Society, the Financial Services Records Management Forum, the Financial Conduct Authority and the Information Security Forum.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Related Posts