BS 10012 shows you how to build a stand-alone Personal Information Management System (PIMS). Your PIMS will help your organisation comply with GDPR or related regulations, like South Africa’s POPIA. Our simplified, secure, sustainable platform helps you follow the standard’s structured approach.
BS 10012 and ISO 27701 can both help you comply with GDPR and other privacy regulations by creating a PIMS. But there are important differences between them.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
BS 10012 could be a better option if:
The rest of this page explains how to achieve BS 10012.
ISO 27701 could be a better option if:
To find out how to achieve it, visit our Achieve ISO 27701 page.
Our BS 10012 framework will help you as you create your PIMS. It’ll make sure that your PIMS aligns with and meets the needs of each section of the standard. And because BS 10012 aligns with GDPR, that’ll help you comply with GPDR or a GDPR-based regulation.
Your PIMS will follow BS 10012 and help you achieve GDPR compliance by:
BS 10012 asks you to take a big-picture view of the context your organisation works in and the personal data risks it faces. That means being having a clear sense of factors including:
Your whole organisation needs to buy into your PIMS. Your leadership should understand the need for it, and be closely involved in defining and managing it. That’ll help you embed it in your broader organisational culture, making sure that everyone:
BS 10012 requires you to carefully plan and design your PIMS. You’ll think through every aspect of how that data flows through your business, including:
Once you’ve understood those processes, you’ll need to check and document how each part of them complies with your chosen standard. You’ll also cover off any regulatory or other relevant obligations.
That’ll mean working through the privacy implications of pretty much everything your organisation does. And it’s not an abstract task. You’ll define the real-world risks your privacy data faces, and come up with practical ways of managing or dealing with them all.
That’ll help you set out clear objectives for your PIMS. You’ll decide what it should achieve, how it’ll achieve it, how you’ll measure its effectiveness and how you’ll keep improving it. You’ll also cover off issues like resources needed, budget, timings and responsibilities.
Your PIMS isn’t a file-and-forget document. BS 10012 requires it to be at the heart of your organisation. So you’ll need to make sure it has the right resources behind it to help it survive, thrive and evolve. That means making sure your colleagues have:
You’ll need to reach everyone who needs to know about it with the information they need to hear. And you’ll have to document it in ways they can easily access and understand.
Bear in mind that documenting your PIMS can be quite challenging. You’ll need to keep your guidance and instructions up to date as your PIMS evolves. And you’ll make sure that only the right people can access them.
We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.
We’ve covered how BS 10012 tells you to scope out, plan and document your PIMS. All that’s very important, but its real test will come when it goes live. It needs to show its worth by protecting your organisation’s personal data in practical, constructive ways.
As you implement and manage your PIMS, BS 10012 asks you to make sure you:
An unexamined PIMS is not worth having. You’ll need to examine yours regularly, running internal audits at planned intervals and when major changes take place. You’ll need to make sure that your auditors are impartial, and that you follow through on their recommendations.
And of course, you’ll need to document any audit. That’s partially for your own use and partially to help you with external audits. External auditors will want to see that you’re properly and fully following BS 10012.
You should also make sure that your senior managers regularly review your PIMS. They should look at everything from any external factors that might impact it, to data breaches and security issues that have actually taken place.
Perhaps you see that some part of your PIMS doesn’t comply with a standard or regulation you follow. Perhaps external or internal changes create a new personal data risk. Perhaps your organisation changes focus, and your PIMS has to change with it.
Whatever the reason for change, BS 10012 charges you with making sure you record it, act on it and record how you’ve acted on it. Your PIMS should make it easy to both flag up and take corrective actions, and find and act on ways of making it more efficient and effective.
Book a tailored hands-on session based on your needs and goals.