BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

21 Jul

BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). It provides a framework for maintaining and improving compliance with data protection legislation and good practice.

The framework will help you to manage risks to the privacy of personal data and implement appropriate policies, procedures and controls.

In March 2017, BSI updated this Standard in response to the introduction of the European Union General Data Protection Regulation (GDPR).

Article 42 of the GDPR encourages the “establishment of data protection certification mechanisms…. for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”  This is exactly what BS 10012 is intended to offer.

BS 10012 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, which enables organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013.

It is also a standard which organisations can certify against.

Benefits of Implementing BS 10012:2017

By implementing and certifying your PIMS against BS 10012:2017, you will be able to:

  • Demonstrate your commitment to protecting client and stakeholder personal data
  • Identify risks to personal information and implement controls to mitigate them
  • Use the management system as part of a privacy compliance framework to demonstrate compliance with the GDPR and the Data Protection Act 2018
  • Benchmark and continually improve your management of personal data against recognised best practice
  • Protect your reputation and minimise adverse publicity
  • Gain competitive advantage when seeking and retaining business.

How do I Achieve Certification to BS 10012:2017

As stated above, BS 10012:2017 has been drafted using the rules specified for management system standards in the ISO Directives Annex SL and follows the common structure and core text as standards such as ISO/IEC 27001:2013 and ISO 9001:2015.

As one of UK’s leading implementers of ISO 27001 and with its wealth of data protection experience and expertise, URM is uniquely placed to assist you develop and implement a PIMS and achieve certification with BS 10012:2017.

These services range from conducting a gap analysis (where one of URM’s consultants will assess your existing PIMS and compare it against the BS 10012 requirement) to full lifecycle services.

URM also offers a readiness assessment service for those organisations seeking certification. With the full lifecycle implementation services, URM can assist you meeting requirements such as:

Understanding and documenting the context of the organisation (inc. determining the scope of the PIMS

Demonstrating leadership and commitment with respect to the PIMS (incl. establishing a PIMS policy)

Planning actions to address risks and opportunities (incl. defining a data inventory and data flow analysis process, a data protection impact assessment (DPIA) process and a risk treatment process)

Determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the PIMS

Implementing the PIMS (incl. conducting risk assessments and ensuring the organisation meets the principles and requirements of the GDPR* e.g. to ensure that personal information is processed fairly and lawfully and in a transparent manner )

Evaluating the performance of the PIMS (incl. conducting internal audits and management reviews

Continually improving the PIMS (incl. implementing corrective and preventive actions).

Thumbnail of the Blog Illustration
Data Protection
Published on
ISO 27701:2019 and the GDPR

The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
What is the Purpose of ISO 27701 and What Benefits Does it Bring?

The need for guidance on how organisations should best protect privacy and manage personal information has never been more pertinent.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
When and How to Conduct a Data Protection Impact Assessment (DPIA)

A DPIA delivers a pre-emptive approach to assessing these risks, and can prevent a data breach occurring. We present an outline of steps in conducting a DPIA

Read more
Complicated topic summarised really simply making GDPR accessible. I would love a recording as was distracted part way through and would like to re-enforce my knowledge by listening again (possibly a couple of times just to get it to sink in......)
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.