Business standards company the British Standards Institution (BSI) has updated its standard for data protection. BS 10012:2017 Data Protection – Specification for a Personal Information Management System was developed to provide Best Practice guidance for those leaders responsible for the management of personal information.
The revised British Standard is applicable to organisations of all sizes and sectors and specifies the requirements for an organisation to adopt a personal information management system (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection requirements.
The British Standard is also intended to provide clear guidance for internal and external assessors on assessing compliance with data protection requirements.
Changes from the 2009 version of BS 10012 include a new definition of personal and sensitive data, restrictions on profiling using personal data and new administrative requirements for data privacy officers.
Data written under a pseudonym is now specifically covered, and there are stricter requirements for consent for processing. BS 10012 also takes into account a change in the law to cover data processors.
Implementing BS 10012 will support many organisations in their adoption of an appropriate information governance strategy. Information governance is a set of multi-disciplinary structures, policies, procedures and processes taken to manage information. Information governance supports an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.
Strategy for handling personal information
Anne Hayes, head of governance and resilience at the BSI, said: “BS 10012 will provide organisations with structured guidance on implementing a common sense strategy designed to handle personal information as securely as possible. It will also afford confidence among employees at all levels of an organisation that decision-makers take the ‘hot button’ issue of data security seriously.”
Hayes added: “Data protection remains a leading concern for organisations of all shapes and sizes as well as members of the public at large. BS 10012 addresses these concerns.”
Many of the changes in the latest version of BS 10012 have been written in full recognition of the European Union’s General Data Protection Regulation (GDPR), which was written into law on 14 April last year. The GDPR will be directly applicable to the UK and EU Member States as of 25 May 2018.
Key organisations involved in the development of BS 10012 have included the Information Commissioner’s Office, the National Association of Data Protection Officers, the Data Protection Forum, the Department for Culture, Media and Sport, the International Association of Privacy Professionals, the Information and Records Management Society, the British Computer Society, the Financial Services Records Management Forum, the Financial Conduct Authority and the Information Security Forum.