Achieving regulatory compliance with BS 10012

BS 10012 shows you how to build a stand-alone Personal Information Management System (PIMS). Your PIMS will help your organisation comply with GDPR or related regulations, like South Africa’s POPIA. Our simplified, secure, sustainable platform helps you follow the standard’s structured approach.

BS 10012 or ISO 27701?

BS 10012 and ISO 27701 can both help you comply with GDPR and other privacy regulations by creating a PIMS. But there are important differences between them.

• BS 10012 is a stand-alone standard. But to achieve ISO 27701, you also need to create or already have an ISO 27001-based ISMS.
• BS 10012 is GDPR based so it’ll help you meet GDPR or GDPR-based regulations. But ISO 27701 is regulation-agnostic so it’ll help you with all regulations, including GDPR and GDPR-based ones.

Creating a BS 10012-based PIMS to achieve GDPR compliance

Our BS 10012 framework will help you as you create your PIMS. It’ll make sure that your PIMS aligns with and meets the needs of each section of the standard. And because BS 10012 aligns with GDPR, that’ll help you comply with GPDR or a GDPR-based regulation.

Your PIMS will follow BS 10012 and help you achieve GDPR compliance by:

Responding to the big picture

BS 10012 asks you to take a big-picture view of the context your organisation works in and the personal data risks it faces. That means being having a clear sense of factors including:

• Any wider contexts affecting your organisation
• Whose personal data you need to protect and how they need you to protect it
• Which regulatory, contractual, professional or other obligations you need to follow
• How much risk your organisation’s willing to take on

Your whole organisation needs to buy into your PIMS. Your leadership should understand the need for it, and be closely involved in defining and managing it. That’ll help you embed it in your broader organisational culture, making sure that everyone:

• Understands it
• Complies with it
• Helps to continuously improve it

Being carefully planned

BS 10012 requires you to carefully plan and design your PIMS. You’ll think through every aspect of how that data flows through your business, including:

• Where it comes from, why you need it and how you ask for it
• How your organisation makes use of it
• What it’s used for and who can access it
• Which of your systems store and manage it
• If relevant, how it moves between different jurisdictions
• When, how and why it’s stored or deleted

Once you’ve understood those processes, you’ll need to check and document how each part of them complies with your chosen standard. You’ll also cover off any regulatory or other relevant obligations.

That’ll mean working through the privacy implications of pretty much everything your organisation does. And it’s not an abstract task. You’ll define the real-world risks your privacy data faces, and come up with practical ways of managing or dealing with them all.

That’ll help you set out clear objectives for your PIMS. You’ll decide what it should achieve, how it’ll achieve it, how you’ll measure its effectiveness and how you’ll keep improving it. You’ll also cover off issues like resources needed, budget, timings and responsibilities.

Having all the support it needs

Your PIMS isn’t a file-and-forget document. BS 10012 requires it to be at the heart of your organisation. So you’ll need to make sure it has the right resources behind it to help it survive, thrive and evolve. That means making sure your colleagues have:

• The right competencies to make your PIMS work
• Clear knowledge of how and why to comply with it

You’ll need to reach everyone who needs to know about it with the information they need to hear. And you’ll have to document it in ways they can easily access and understand.

Bear in mind that documenting your PIMS can be quite challenging. You’ll need to keep your guidance and instructions up to date as your PIMS evolves. And you’ll make sure that only the right people can access them.

Working effectively in practice

We’ve covered how BS 10012 tells you to scope out, plan and document your PIMS. All that’s very important, but its real test will come when it goes live. It needs to show its worth by protecting your organisation’s personal data in practical, constructive ways.

As you implement and manage your PIMS, BS 10012 asks you to make sure you:

• Appoint the right people to oversee and manage your PIMS, making sure they’re both accountable and responsible for its success.
• Understand when and how your organisation uses personal data, so you know what sort of information it’s processing and what sort of risks that creates.
• Assess any risks to your organisation’s personal data and make sure you have clear plans in place to deal with them all.
• Deliver training in and build awareness of your PIMS, so your colleagues know exactly how to handle any personal data they process or run into.
• Keep your PIMS up to date, making sure it evolves with your organisation, keeps up with any regulatory changes and follows developing best practice.
• Always stay fair, lawful and transparent – making sure you’re aware of and ready to follow any relevant laws and legislations should always be your very first step
• Only obtain and process personal data to achieve specific, legitimate goals, and never use it in ways that go beyond or don’t help you achieve those goals
• Make sure you always collect the right amount of data – no more or less than you need to achieve your specific, legitimate goals
• Keep any personal data you gather accurate and up to date, and be ready to check and change it if you’re asked to do so
• Set clear, transparent limits for how long you hold onto and when you dispose of any personal data you gather, so you don’t keep it for longer than you need to
• Make sure you keep your personal data secure, protecting it against any unauthorised or unlawful processing, or any kind of loss, destruction or damage
• Always make sure you understand and fully respect the rights of the natural people whose data you hold and process

Undergoing regular evaluation

An unexamined PIMS is not worth having. You’ll need to examine yours regularly, running internal audits at planned intervals and when major changes take place. You’ll need to make sure that your auditors are impartial, and that you follow through on their recommendations.

And of course, you’ll need to document any audit. That’s partially for your own use and partially to help you with external audits. External auditors will want to see that you’re properly and fully following BS 10012.

You should also make sure that your senior managers regularly review your PIMS. They should look at everything from any external factors that might impact it, to data breaches and security issues that have actually taken place.

Constantly evolving and improving

Perhaps you see that some part of your PIMS doesn’t comply with a standard or regulation you follow. Perhaps external or internal changes create a new personal data risk. Perhaps your organisation changes focus, and your PIMS has to change with it.

Whatever the reason for change, BS 10012 charges you with making sure you record it, act on it and record how you’ve acted on it. Your PIMS should make it easy to both flag up and take corrective actions, and find and act on ways of making it more efficient and effective.