BSI has launched a new certification scheme designed to help today’s organisations demonstrate that they’re proactively protecting data and managing personal information both securely and effectively. Exponential-e, Hitachi Consulting, iland and People’s Postcode Lottery are the first UK organisations to have been independently assessed by the BSI and achieve certification to BS 10012: 2017 Data Protection – Specification for a Personal Information Management System.
Data protection is a leading concern for organisations of all sizes and sectors, many of whom manage large quantities of sensitive data on their employees, customers and other stakeholders. In addition, the European Union’s forthcoming General Data Protection Regulation (GDPR) deadline is increasing the focus on compliance and information resilience.
Likewise, millions of consumers share their personal information with businesses through multiple channels each day. Almost every point of contact a consumer has with an organisation exchanges personal information – including social media and mobile apps, shopping, travel, healthcare, education, financial services and employment details. It’s therefore vital that organisations embed a culture of compliance and adopt a Best Practice approach when acquiring, storing, processing and sharing personal data. This serves to protect their customers’ and stakeholders’ privacy while reducing the risks to their business.
Achieving certification to BS 10012 supports an organisation’s information governance strategy, helping them respond to immediate and future regulatory, legal, risk and operational requirements.
BS 10012 specifies the requirements for an organisation to adopt a Personal Information Management System (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection. The British Standard was recently revised to align with the key principles of the GDPR, which became law on 14 April 2016 and will be mandated from 25 May this year.
Those changes included a new definition of personal and sensitive data, restrictions on profiling using personal data and new administrative requirements for Data Protection Officers (DPOs). Data written under a pseudonym is now specifically covered and there are stricter requirements for consent for processing. The British Standard also takes into account a change in law to cover data processors.
The British Standard provides a comparison of key differences between the EU’s GDPR and the UK’s own Data Protection Act 1998. These include obligations on processors, right to erasure (ie the ‘Right to be Forgotten’), the requirement for a DPO, data breach reporting timescales and fines for regulatory breaches.
To achieve certification to the British Standard, organisations undergo an independent assessment including a rigorous on-site audit covering all the requirements of BS 10012. The requirements include embedding the PIMS within the organisation’s culture, undertaking a data inventory and analysing data flow and the appointment of a DPO. Maintaining certification requires continual improvement of the PIMS which is regularly and independently assessed by the BSI.
Commitment to achieving excellence
Jitesh Bavisi, director of compliance at Exponential-e, said: “Exponential-e has been working towards GDPR compliance since January last year. Hence, we’re pleased to have finally achieved the BS 10012 certification which adds to the existing seven ISO certifications we hold. Our certifications from BSI demonstrate to customers our commitment to achieving excellence in everything that we do – from business processes through to technical innovation and on again to customer service. We work very closely with the BSI to sustain the world standard criteria that our ISO certifications demand. Ultimately, they contribute to the delivery of our brand promise – Peace-of-Mind-as-a-Service.”
Hicham Abdessamad, CEO of Hitachi Consulting, added: “We’re immensely proud of this recognition from one of the world’s leading certification bodies. Our core strategic objective is to continue to explore new business models and solutions that harness the power of data for the benefit of our clients around the globe. Achieving this high standard for data protection is strong evidence of an embedded culture of compliance and will be a major factor in driving competitive advantage for both ourselves and our clients. The quality and quantity of secure personal data under our clients’ control is now one of the biggest business issues they face. We have a unique opportunity to share the story of our own GDPR compliance journey and how clients can learn from our first-hand experience for their own competitive advantage.”
Scott Sparvero, CEO of global cloud services provider iland, commented: “At iland, we’ve always had a commitment to ensuring compliance with data protection regulations. The upcoming introduction of the EU’s GDPR has only strengthened that commitment. We’re proud to be one of the first UK organisations to achieve certification to BS 10012 and to be leading the way in ensuring data protection within the cloud computing industry for the benefit of our global customers and partners.”
Fraser Lovell, head of licence and politics at People’s Postcode Lottery, explained: “Going through the BSI certification process has been an excellent journey for us. It has helped us to prepare for the GDPR coming into effect. We now have a clear action plan to make sure that we continue to develop and improve upon our PIMS.”
Anne Scorey, UK managing director at the BSI, informed Risk UK: “As consumers, we’re increasingly sharing personal information with organisations online, over the phone and in person. Therefore, the need for more rigorous security measures is essential. While many organisations already have good data security processes in place, having their systems independently assessed by the BSI will help them to demonstrate that they’re committed to safeguarding personal information. We have a strong track record of promoting excellence in cyber and information security, and we’re delighted to have supported the first organisations with certification to BS 10012.”