BSI, the business standards company, has updated its standard for data protection. BS 10012:2017 Data protection – specification for a personal information management system was developed to provide best practice guidance for leaders responsible for the management of personal information.
The revised standard specifies requirements for an organization to adopt a personal information management system (PIMS). PIMS provides a framework for maintaining and improving compliance with data protection requirements. The standard is also intended to provide clear guidance for internal and external assessors on assessing compliance with data protection requirements.
The standard is applicable for organizations of all sizes and sectors. Changes from the 2009 version of BS 10012 include a new definition of personal and sensitive data [EXPLAIN]; restrictions on profiling using personal data; and new administrative requirements for data privacy officers.
Data written under a pseudonym is now specifically covered, and there are stricter requirements for consent for processing. BSI 10012 also takes into account a change in the law to cover data processors.
Implementing BS 10012 will support many organizations in their adoption of an appropriate “Information Governance” strategy. Information Governance is a set of multi-disciplinary structures, policies, procedures and processes taken to manage information. Information Governance supports an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.
Anne Hayes, Head of Governance and Resilience at BSI, said: “BS 10012 will provide organizations with structured guidance on implementing a common-sense strategy to handle personal information as securely as possible. It will also provide confidence to employees at all levels of an organization that decision-makers take the hot-button issue of data security seriously.
“Data protection remains a leading concern for organizations of all shapes and sizes – as well as the public at large. BS 10012 addresses these concerns.”
Many of the changes in the latest version of BS 10012 have been written in recognition of the European Union General Data Protection Regulation (GDPR), which became law on April 14, 2016. The GDPR will be directly applicable to the UK and member states on May 25, 2018.
Key organizations involved in the development of BS 10012 include Information Commissioners Office (ICO); National Association of Data Protection Officers (NADPO); Data Protection Forum; Department for Culture, Media and Sport; International Association of Privacy Professionals; Information and Records Management Society; British Computer Society; Financial Services Records Management Forum; Financial Conduct Authority; Information Security Forum.