Whether you call it personal or privacy information management the subject is growing quickly as a topic of business importance. Threats from massive fines and reputational issues are driving customers to mandate their suppliers show compliance with regulations like GDPR and its counterparts across the world.
Compliance with privacy requirements is complex and on top of broader information security management (i.e. for other information assets like commercial contracts, IPR and financial data) can be a real challenge. We can help you with various levels of privacy compliance and will also help you work out what level of privacy information management system (PIMS) you might need and why.
Privacy is a complex topic even when it comes to naming conventions
Whether your organisation is a controller or a processor, or both, it needs to protect the personal data of individuals. Personal data is any information that relates to an identified or identifiable individual. It can cover anything from a name and address, to a record of purchases made, to confidential medical records.
Personal data protection regulations and methods are developing fast. And there are different ways of describing the data you’re protecting. For example:
- The UK Information Commissioner’s Office (ICO) calls it “personal data”
- The British Standards Institute (BSI) calls it “personal information”
- The International Standards Organisation (ISO) calls it “privacy information”
To keep things simple, we usually call it personal data.
Third parties also differ in their naming convention for management systems around it too, for example:
- The ICO doesn’t have a specific name for it
- The BSI calls it a Personal Information Management System
- The ISO calls it a Privacy Information Management System
At least both of those specific terms shorten to PIMS, so that’s what we call it!
There are many benefits associated with a PIMS and it should be something that helps grow value for the organisation as well as help manage threats. Benefits include:
- Builds trust in your company’s perceived ability to manage personal information, both for customers and employees
- Provides increased assurance for stakeholders
- Supports compliance with the GDPR and other privacy regulations
- Improves structure and focus of data privacy management
- Embeds personal data management into the organization’s culture
- Takes a risk-based approach to data privacy management
- Encourages continual improvement to adapt to changes inside and outside the organisation
- More forward thinking versus competitors so helpful for winning new business with risk averse and powerful customers
The number of privacy frameworks are increasing as well
There are are a growing number of privacy frameworks which does not help the simplification goal and they broadly break down into 2 types:
Standards Led Privacy Frameworks e.g.
- ISO 27701 PIMS (ISO 27001 Extension)
- BS 10012 PIMS
- NIST Privacy Framework
Regional Privacy Frameworks & Regulations e.g.
- Local Data Protection Supervisory Authorities – Guidelines
- OECD (Organisation for Economic Co-operation and Development) Privacy Guidelines
- APEC Privacy Framework
- ICO UK GDPR Checklists
- State, national and country based regulations (e.g. POPIA, GDPR etc)
What is the right model for your organisation now and in the future?
We’ve turned the complexity into a simplified approach towards 5 levels of maturity.
It goes without saying that levels 1 and 2 are unlikely to demonstrate any form of protection or value for the organisation and its stakeholders. We can help you from Level 3 – 5.
Level 3 summary: ICO Data Protection Assurance Checklist
- Information Commissioner’s Office (ICO) – UK focus
- A Self Assessment Toolkit
- Helps to assess compliance with Data Protection Law
- Clarifies next steps for the compliance journey
IDEAL FOR: Starting out your privacy management/data protection compliance journey in a recognised, structured and effective way.
Level 4. BS 10012:2017+A1:2018
Data Protection – Specification for a personal information management system
- British Standard, globally recognised
- Follows ISO management system structure
- Regulation based standard, GDPR and DPA
- Stand alone, independent implementation
- Can be aligned with, or certified to
IDEAL FOR: Implementing a regulation based PIMS where there is no need for an Information Security Management System (ISMS) i.e. you don’t need or have any intention of doing ISO 27001.
Level 5. ISO/IEC 27701
Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines
- International Standard, globally recognised
- Information security based standard
- Extension to ISO/IEC 27001, requires ISMS to include ISO 27001
- Regulation agnostic, suitable for all
- Can be aligned with, or certified to
IDEAL FOR: Implementing an information security based PIMS If you have an Information Security Management System (ISMS) or are willing to get one.
A suite of unique privacy management tools
We’ve preconfigured various PIMS solutions to meet your needs with the aim of simplification and ease of completion at their heart. As with all the ISMS.online features they are fit for use whether you are a newcomer, improver or an expert and the PIMS takes advantage of our tried and tested ISMS functionality. In addition you can also:
Record all your data processing activities
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
A secure space for Subject Access Requests
You’ll need to show how well you manage Subject Access Requests. Our secure SAR space keeps it all in one place, supporting it with automated reporting and insight.
Powerful risk assessment and management tools
We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.
Simple privacy assessment templates
It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.
Effective, responsive breach management
You’ll be ready when the worst happens. We make it easy to plan and communicate your breach workflow, and document and learn from each and every incident.
Plus a range of other specially-created tools…
Our tried-and-tested people and progress management tools
Highly efficient project oversight and collaboration
Our workspace makes collaboration easy and simplifies progress monitoring, with a simple approval process and automated reviews built in as standard.
Optional supply chain management tools
We can help you show that you’re in control of your supply chain, covering everything from contracts and contacts to relationship and performance management and monitoring.
Help and support engaging your people
Your staff need to be right at the heart of your GDPR solution. Our optional comms and engagement tools can help you bring them on board and keep them compliant.