BS 10012 Personal Information Management
Personal information security has never been more important. Any organisation that handles personally identifiable information (PII) has a responsibility to ensure the security of privacy data. Organisations must show that they take privacy management seriously, especially now that new regulations, such as the General Data Protection Regulation (GDPR), have been introduced. That is where BS 10012 comes in.
This article covers the most common questions about BS 10012 and explains how this standard can promote good practice and help you to control and process personal data in line with best practice. With the help of our cloud-based software, you can develop your Privacy Information Management System (PIMS) so that it meets the criteria set out in BS 10012. Although no standard can guarantee compliance with laws and regulations, ISMS can provide your company with an Assured Results Methodology for developing your PIMS. This can help you comply with data protection regulations and other privacy laws.
What is BS 10012?
BS 100012 is a British Standard for Personal Information Management Systems developed and approved by the British Standards Institute (BSI). The standard defines best practice for personal information management (PIM) system development with the goal to reduce the risk of privacy data being compromised. BS10012 guides companies on the policies, procedures and technologies they use to identify, manage, store, access, use and share personal information across and between organisations.
BS 10012 sets the standards for businesses to adhere to strict protocols when collecting, storing and using personal information about an individual. Meeting the BS 10012 standard helps you have a framework to handle privacy data in the right way.
What is Personal Information Management?
Personal information management (PIM) is the process by which companies obtain, organise, store, access, and use personally identifiable information (PII).
PIM refers to when people organise, share and maintain personal information, and the policies, procedures and technologies that enable them to do so. PIM focuses not only on the techniques used to store information but also on how individuals access the information for use and deletion.
Understanding and implementing effective Personal Information Management standards helps organisations to operate more competently, coping with “information overload”, and developing effective strategies to safeguard personally identifiable information.
What are the principles of BS 10012?
As BS 10012 is designed around GDPR it aims to match the principles set out by those regulations. Therefore, the principles of BS 10012 are as follows:
- (a) Lawfully, fairly and transparently processed
- (b) Collected for specified, explicit and legitimate purposes
- (c) Adequate, relevant and limited to purposes for which they are processed
- (d) Accurate and kept up to date where necessary, inaccurate data is erased or rectified when required without delay
- (e) Stored in a form that permits identification of individuals no longer than is necessary
- (f) Processed in a manner that ensures a high level of security, confidentiality and integrity; protected against unlawful access or accidental loss
You will be held accountable for achieving and maintaining all of the above. All personal data stored or handled by your business must abide by these principles if you want to ensure your BS 10012 certification is successful.
BS 10012 revolves around the following key themes:
BS 10012 was structured to be compatible with other management system standards, which ensures that the majority of clauses supporting the implementation of a PIMS, such as governance/ leadership, employee understanding, risk management, and continuous improvement, are consistent with ISO 27001 clauses; this prevents unnecessary duplication of record-keeping and effort.
Data protection and retention
Data protection and retention are essential business requirements that you must address to ensure compliance with the relevant privacy laws. Failure to do so could result in significant financial penalties and reputational harm. As data breaches have grown exponentially over recent years, organisations must, now more than ever, take the steps needed to protect privacy data.
Manage risks to personal information
A fundamental principle of BS 10012 is risk management, which entails defining potential privacy risks and implementing safeguards to mitigate those risks to an acceptable level.
A PIMS that is aligned with BS 10012 affirms the GDPR principles and reassures stakeholders that personal data is handled in accordance with best practices. BS 10012 promotes the efficient management of risks associated with handling personal data.
Privacy Impact Assessment
GDPR requires organisations to perform a Privacy Impact Assessment (PIA) if the collection of personally identifiable information (particularly with the use of emerging technologies) is likely to result in a high risk to an individual’s rights and freedoms.
Modern technologies allow the collection and analysis of massive quantities of data, which raises the risk of compromising the privacy of those who share their personal information. However, with a BS 10012-compliant PIMS, you can recognise potential risks associated with personal data security and take actions to mitigate those risks.
Processing Personal Information
With many organisations handling some type of personal information, BS 10012 can assist with implementing policies, procedures, and controls that enable an organisation to efficiently process personal data. Following the BS10012 framework will assist you with designing and delivering personal information awareness training and risk assessments, as well as the data handling, storage and disposal processes within your organisation.
Improvements in Controls/Policies
In addition to meeting GDPR criteria, BS10012 addresses how companies can ensure that their data protection obligations are aligned with their overall business plan through continuous improvement of controls and policies. This is accomplished using the Plan-Do-Check-Act model of continuous improvement.
The benefits of BS 10012
One of the main benefits of building or adapting your PIMS in line with the BS 10012 standard is that it brings your business closer to compliance with GDPR. Compliance with GDPR is required for companies and organisations that work within the EU. In the UK, GDPR has been assimilated into UK data protection laws, meaning very little practical difference between EU GDPR and UK GDPR.
BS 10012 promotes good practice throughout your organisation when it comes to handling personal data.
Some of the benefits of the BS 10012 standard are:
- BS 10012 encourages continuous improvement, allowing your management staff to make quick changes to how your PIMS works
- The standard helps your business maintain compliance with laws and regulations, such as GDPR
- BS 10012 can easily be integrated with other privacy standards such as ISO 27701 due to its Annex L/SL based design
- The standard guides best practice when designing and developing a personal information management system
- BS10012 helps Privacy Analysts and Privacy Data Managers to identify and manage risks to personally identifiable information
- Meeting the stringent standard inspires trust and confidence from clients, partners, staff and your industry in general
How will BS 10012 add value to my business?
If you are serious about getting your business up-to-date with the latest privacy data standards, BS 10012 can provide you with a best-practice framework. What benefits will a PIMS standard bring to your business?
Keep in line with legal obligations
Keeping yourself compliant with the law is critical. By implementing BS 10012, you will be able to have a framework that guides compliance with privacy data laws. You will have documented procedures in place for your data processes and how and where data is stored. BS 10012 is applicable across different industries and helps you meet your legal obligations.
Compliance with data protection legislation
If you run a business that handles personal information in the UK, then you need to make sure you are compliant with the UK data protection laws. The UK has incorporated GDPR into the UK data protection laws, meaning your GDPR responsibilities are largely unchanged post-Brexit.
Reduce the risk of fines
By achieving the BS 10012 your company will have put in place best practice policies and procedures that are geared towards handling privacy data in the right way. Having BS 10012 will reduce the risks associated with data breaches and fines by providing documentary evidence that your PIMS meets the British Standard.
Improve your corporate image
By attaining BS 10012, you can show your clients, industry and regulators that you are committed to high-quality personal information management practices. This can enhance your corporate image. If you suffer a data breach, but have followed best practice in developing your PIMS, you will probably reduce the reputational damage.
Customer trust/confidence/Competitive Advantage
Implementing BS 10012 will help customers feel confident that your company is trustworthy and competent. Customers and partners want to know that you follow robust processes. Using the BD 10012 standard framework is a good way to demonstrate that you respect your responsibilities related to privacy data.
ISMS.online was the only tool we found that hit the sweet spot of providing a comprehensive and proven ISMS, ‘out of the box’, at a reasonable price for a mid-sized organisation. And unlike many other solutions, a complete ISMS and data privacy were integrated well in one package.
Risk and Compliance Director, REPL
How long will BS 10012 take?
It’s difficult to provide exact timeframes because BS 10012 certification relies on a variety of factors, including the complexity of your business and industry, how close you are to meeting the standard or your current level of PIMS compliance to the standard, the size of your organisation, and so on. It is a good idea to budget between 6 months to a year for the process. Some of the factors that will influence BS 10012 certification include:
Before you can earn your BS 10012 certification, you will need to make sure that the personal information management system used by your organisation is compliant with the BS 10012 standard. Once your PIMS covers the necessary compliance requirements, you can get started with the certification process and shave some time off the expected timeframe.
Achieving BS 10012 certification is a great achievement for any business because it reassures customers that their data is kept safe and secure. However, gaining the certification can be challenging and time-consuming. Depending on the size of your business and scope of operations, the processes – from the GAP analysis to implementation and certification can take anywhere from three months to one year.
BS 10012 is an independently auditable standard, so you will have to hire a qualified external auditor to assess your organisation’s compliance with BS 10012. If satisfied, the external auditor will give you paperwork confirming compliance. This process also is not expected to take more than a few days.
Internal auditors are responsible for verifying the effectiveness of internal control systems for a company and ensuring the company complies with relevant laws and regulations as regards information security. Though there are different requirements that cover different areas of internal audit, auditors are expected to follow BS10012 standards when performing an internal audit of the PIMS process. This process usually takes a day or two.
Understanding BS 10012
When getting started with BS 10012, the first step when you begin to implement BS 10012 is to do a gap analysis to determine where your Personal Information Management system is at the moment. You then review the findings and develop a strategy for implementing the required policies and procedures to meet the Standard’s criteria. Additionally, this review will identify any current risks associated with your personal information management, which can be resolved when you develop your management framework.
Unless you are experienced with BS 10012, we recommend that you obtain expert advice when developing a personal information management system. Our information security professionals at ISMS.online can help guide you on BS 10012 compliance. We have video coaching resources and our cloud ISMS helps you follow an Assured Results method, placing the documentation of compliance with the standard in one easy to use platform.
Implementing BS 10012
Every company has its own set of personal data and faces different privacy risks. Each company is also at a different stage in terms of managing personal information. That is why it is important that your Privacy Information Management System is built on BS 10012 but is designed to suit your business. BS 10012 can be personalised to include what your company needs to protect personal information, streamline processes, and comply with the regulations and laws.
To begin implementing BS 10012, the following steps must be taken:
- Obtain senior management’s support and commitment
- Carry along all stakeholders, including data processors and controllers through effective internal communication
- Analyse existing processes and protocols against BS 10012 standards
- Gather input from customers and suppliers on personal information management requirements
- Form an implementation team and lead implementer
- Define and communicate tasks, duties, and timeframes
- Encourage employee participation through engagement and training
- Share the benefits of BS 10012 and motivate workers to become internal auditors.
- Conduct regular reviews of the BS 10012 framework to ensure that it is continuously improved
BS 10012 can be a little tricky to get your head around- like most ISO and BS standards. ISMS.online helps you by providing a cloud-based solution that can help you document compliance with the BS 10012 requirements.
Demonstrating Good Practice
BS 10012 sets the standard for the behaviours, processes, technology and knowledge that represents best practice for effective management of privacy data risks. Implementing BS 10012 means your organisation can demonstrate ‘good practice’ when it comes to managing personally identifiable information.
Plan, Do, Check, Act
PDCA (Plan-Do-Check-Act) is a four-stage iterative method for continuously improving procedures, services, or products, as well as for problem-solving. It entails conducting rigorous tests of potential alternatives, analysing the outcomes, and applying the ones that have been shown to succeed.
BS 10012 is a quality management standard that is based on the Plan-Do-Check-Act (PDCA) model for continuous quality control and improvement. As such, the framework is compatible with other ISO-endorsed management system standards, allowing the streamlined deployment and interoperability of a PIMS within applications such as an Information Security Management System (ISMS).
Requirements of BS 10012
Putting a management system in place takes a systematic approach that involves all stakeholders.
The following are the important requirements to achieving compliance with BS 10012:
- Determine the PIMS’s stakeholders’ requirements.
- Determine the scope of the PIMS to ensure that all relevant data is addressed.
- Assemble a project team and assign a lead implementer.
- Involve senior management and secure their cooperation.
- Establish PIMS goals and a PIMS policy.
- Develop the requisite skills and competence for implementing and managing the PIMS.
- Conduct an inventory of the data and a data flow mapping.
- Create a procedure for determining the legal framework for processing personally identifiable information.
- PIAs (privacy impact assessments) and risk management structures should be established.
- Conduct employee training programmes.
- Create the required PIMS policies and procedures, including consent, subject access requests, and data breach notification.
- Develop a methodology for data exchange, storage, disposal, and transfer.
- Establish a programme for continuous improvement.
- Carry out an internal audit.
Once these steps have been taken and you are confident with your organisations’ implementation of BS 10012, you will want to apply for an external audit and certification.
The framework of current ISO Standards is summarised in Annex SL. The structure of Annex SL is composed of ten clauses that define how all content in a Management System Standard must be classified:
- Clause 1 – Scope This defines the intended outcomes of the Management System
- Clause 2 – Normative references References any Standards or publications that are relevant
- Clause 3 – Terms and definitions Definitions of the common terms used throughout the Standard are defined here
- Clause 4 – Context of the organisation This defines the areas that the Management System will cover
- Clause 5 – Leadership This area stresses the importance of the involvement of the leadership team within the operation of the Management System
- Clause 6 – Planning How the Management System will achieve its objectives and how the business will deal with risk
- Clause 7 – Support How the operation of the Management System will be supported to run efficiently
- Clause 8 – Operation Details on the day-to-day processes and operations in your business, including how you will track the performance of these areas
- Clause 9 – Performance evaluation Analysing and monitoring how well your business is operating against the requirements of your Management System
- Clause 10 – – Improvement Using the results of your performance evaluation to improve your business and its processes
Compliance vs Certification
The terms compliance and certification are often used interchangeably but they are not the same. A company can be compliant without being certified, and a company can sometimes get certified without it being entirely compliant.
Compliance means that your PIMS meets the requirements for laws, regulations or standards. BS10012 certification means you have proven that your organisation has met the requirements of the personal information standard. Certification requires documentary evidence. Typically, you will be given a certificate to say you are compliant with your chosen standard; BS 10012 in this case. Certification is a great way to demonstrate compliance to potential clients!
Is BS 10012 certification right for me?
The BS 10012 certification is right for your company if you need to show proof that you have taken all the right steps to protect critical data and information from threats such as data leaks, security risks, and misuse.
Additionally, BS 10012 is a smart choice if you want to comply with regulatory requirements, safeguard information and data, and minimise data protection risks.
Regardless of the scale of your company or the type of personal information you process, the BS 10012 framework contains guidelines that will assist you in identifying threats to personal data privacy and implementing the appropriate policies, protocols, and controls to ensure compliance with data protection requirements.
BS 10012 Certification process
There are certain steps you can take to make BS 10012 certification as smooth as possible.
The steps are:
- Gap Analysis: This is when a trained consultant visits your organisation to analyse your current PIMS and figure out what can be done to adapt it into a BS 10021 system. It may also involve collaborating with experienced auditors, both internal and external, to provide expert verification of your organisation’s PIMS’s (personal information management system) effectiveness.
- Implementation: This is where all the recommendations made in step one are implemented and any procedural changes are effected to ensure that your current PIMS meets the minimum requirement for compliance with BS 10012.
Certification:An auditor will visit your establishment to verify that your processes are in line with the BS 10012 standards and that all necessary changes have been implemented. If everything checks out, you can proceed to apply for BS 10012 certification. This certificate is normally valid for three years.
In your journey towards BS 10012 certification, you can take advantage of ISMS.online power cloud-based systems to document your PIMS process to demonstrate compliance and become certified.
Speak to our Information Security experts or request a demo by calling +44 (0)1273 041140.
Who needs to be involved in BS 10012?
Effective implementation of BS 10012 involves the cooperation of everyone in the organisation.
Senior management must be on board and committed to implementing data privacy best practices. However, to accurately manage all of your organisation’s personal data, you must carry all departments in the organisation along.
Personal information management system explained
A personal information management system is a set of protocols, practices, and organisational processes that are intended to safeguard personal data from unauthorised access, retrieval, or usage for reasons other than those for which it was collected, as well as to ensure data privacy and security.
A personal information management system is intended to ensure compliance with all applicable GDPR and data protection laws.
Standards such as BS 10012 and ISO 27701 define the framework for a Personal Information Management System (PIMS), assisting you in maintaining and improving compliance with data protection legislation and reassuring stakeholders.
Will it create red tape?
Red tape can be completely avoided if the implementation of BS 10012 is done correctly.
While it can be tempting to document every aspect and stage of the process, this can be tasking and time-consuming for the people involved. Documenting steps does play an important role if you are planning to upgrade your systems, but too much documenting can lead to red tape.
How do I maintain BS 10012 certification?
Maintaining BS 10012 certification is not a difficult task, provided that the original BS 10012 implementation was carried out correctly. To maintain the validity of your certificate, annual audits must be carried out by a qualified person, followed by a comprehensive reassessment of your PIMS before certification renewal, which happens every three years. You should also be willing to invest in continual improvement.
Continual improvement is a broad term used to describe any method or approach for gradual and permanent improvements to how your organisation handles personally identifiable information, identifying emerging risks to compliance, and taking systemic actions to remedy them.
Continual improvement is particularly important with BS 10012, which is designed around the Plan-Do-Check-Act method. To qualify for certification or recertify to BS10012 you need to demonstrate a continuous improvement focus in your PIMS.
I already have an ISO certification; can you integrate BS 10012?
BS 10012 is based on the continuous improvement concept of ‘Plan-Do-Check-Act’ and is compatible with ISO Annex SL, which is adopted by all major management system frameworks. This allows organisations to incorporate their BS10012 certified PIMS with other standards, most notably ISO 27001.
What other standards and regulations are related to BS 10012?
Standards that focus on GDPR and similar regulations are generally compatible with a BS 10012 PIMS. Most modern privacy standards are designed around the Annex L/SL framework, and so are compatible with each other.
Two of the most common standards that are used alongside BS 10012 are ISO 27001 and ISO 27701. International organisations sometimes choose to have their PIMS certified to BS 10012 and ISO 27701 in order to meet industry certification standards both in the UK and the European Union.
How do BS 10012 and GDPR integrate with each other?
GDPR stands for General Data Protection Regulation. GDPR is a law that companies have to abide by when holding and processing PII in the EU. The large majority of the requirements for GDPR are covered by BS 10012, so BS 10012 facilitates compliance with GDPR.
How BS 10012 can help you demonstrate GDPR compliance
BS 10012 was amended in March 2017 in response to Article 42 of the GDPR, which promotes the “establishment of data protection certification mechanisms, for the purpose of demonstrating compliance with GDPR’s processing operations by controllers and processors.” This is precisely what BS 10012:2017 aims to do.
This means that a BS 10012 compliant PIMS shows that the organisation has taken all appropriate and necessary steps towards meeting the requirements for managing personal information, as defined by the GDPR.
BS 10012 is not an alternative to GDPR. BS 10012 helps you to show that you have looked at your company and established and are maintaining the policies, processes and technologies that should make you GDPR compliant.
BS 10012 and ISO 27701
ISO 27701 and BS 10012 are standards that companies measure their organisational policies and procedures against in the design of their PIMS. Both provide documentary evidence, through certification, to show a company has followed a robust process.
BS 10012 is appropriate for businesses operating in the United Kingdom that wish to ensure GDPR and Data Protection Act compliance. ISO 27701 is a globally recognised standard.
The ISO 27701 addresses many of the same specifications as BS 10012 but has a broader scope and can be adapted to different countries, territories and industries. One significant difference between ISO 27701 and BS 10012 is that an ISO 27701 PIMS is structured as an extension of the ISMS standards and controls specified in ISO 27001.
BS 10012 on the other hand provides an entirely different set of GDPR compatible criteria with which to implement a PIMS. To prevent duplication of effort, BS 10012 was designed to be compatible with internationally recognised management system standards, such as ISO 27001.
How do BS 10012 and ISO 27701 integrate with each other?
BS 10012 is based on the continuous improvement model of ‘Plan-Do-Check-Act’ and is compatible with ISO Annex SL, which is adopted by all major management system standards, including ISO 27701. This means that organisations can incorporate a PIMS based on BS 10012 with an ISO 27701 compliant PIMS.
How much does BS 10012 cost?
There are two sets of fees associated with BS 10012:
- The fee paid to an Accredited Certification Body for BS 10012 certification, which are normally from £2000 to £3000.
- Fees paid to the BS consultant you choose. The fees are determined by the size of the business, the number of locations, the nature of the business, and the complexity of your business operation.
What are the benefits of building your own BS 10012 PIMS vs buying?
Building your own BS 10012 PIMS system is a better way to get a system that is tailored to your specific business processes. A personalised system could save you money and be easier to use, customise, and adapt.
Some businesses, on the other hand, find the prospect of developing their own system overwhelming, and therefore opt for off-the-shelf solutions. Whichever path you take with your business, our cloud-based solutions at ISMS.online will help you keep track of the checklists you’ll need to fulfil the requirements of PIMS standards as you pursue certification.
How does ISMS.online make personal information management easy?
ISMS.online provides an easy to use cloud-based platform that enables organisations to demonstrate BS 10012 compliance. We have information security experts in-house to help you understand and complete the documentation process. Our coaching videos and additional resources provide additional guidance and support to facilitate your journey to BS 10012 certification.
But that is not all. Our system also supports:
Frameworks for BS 10012
It can be difficult to know where to begin with BS 10012, particularly if this is your first time. This is where ISMS.online comes in.
Our solutions provide frameworks for demonstrating your organisation’s compliance with BS 10012. Our information security professionals can also help you to develop an implementation plan that is consistent with the standard’s documentation requirements.
Highly efficient project oversight and collaboration
Each member of your implementation team can use the checklist functionality of ISMS.online to add their contribution. Our easy-to-use collaboration tool, with a simple approval process, automated reviews in-built and a user-friendly interface means that you can monitor your progress towards certification. With our cloud-based system, you enjoy easier project collaboration and full oversight in one place.
Optional supply chain management tools
We have solutions to help you take more control of your supply chain, from contracts to communications and relationships, all the way through to performance monitoring and reporting. By opting for our additional supply management tools you can extend your privacy data standards to your supply chain. By opting for our additional supply management tools you can extend your privacy data standards to your supply chain.
Help and support engaging your people
To successfully implement a GDPR compliant PIMS system you need to get buy in from all stakeholders in your company. This is where our communications and engagement tools can make the difference. Our solutions can help you to on-board key stakeholders and demonstrate the benefits of compliance to BS10012.
Contact ISMS.online today on +44(0)1273 041140 to learn more about how our cloud-based software can help you to demonstrate compliancehelp you to demonstrate with BS 10012.
What kind of help do you need from us?
New to information security?
We have everything you need to design, build and implement your first ISMS.
Ready to transform your ISMS?
We’ll help you get more out of the infosec work you’ve already done.
Want to unleash your infosec expertise?
With our platform you can build the ISMS your organisation really needs.
Take a deep dive into some of our more advanced features