What is this standard about?
It shows organizations how to implement a Personal Information Management System (PIMS). This will help them reach a good standard of information governance and comply with legal personal data protection requirements.
Who is this standard for?
Any and all organizations holding the personal information of clients and/or staff and wishing to maintain compliance with current regulation and good practice.
Why should you use this standard?
As part of an overall information management system, this standard enables organizations to put a Personal Information Management System (PIMS) in place which provides a framework for maintaining and improving compliance with data protection requirements and good practice.
The standard was updated in 2017 to reflect new requirements in the EU’s General Data Protection Regulation (GDPR) which came into force on 25 May 2018.
This 2018 amendment takes in further small changes as a result of the UK Data Protection Act 2018.
Use of the standard will help organizations avoid compliance breaches, significant fines and reputational damage, as well as reduce the actual cost of recovery following a privacy breach.
It will also help organizations implement an appropriate information governance strategy.
What’s changed since the last update?
This 2018 amendment covers minor changes to some clauses, these have been updated to reflect the UK Data Protection Act 2018.
The changes made in the 2017 edition were as a result of GDPR requirements and still remain in BS 10012:2017+A1:2018. These include:
- Definition of personal and sensitive data
- Restrictions on profiling using personal data
- New administrative requirements for data privacy officers
- Pseudonymous data specifically covered
- Abolishing of notification/registration requirement
- New stricter requirements for consent for processing
- Changes to subject access and other rights for data subjects
- Enhanced right to erasure and new right to portability
- Security breach notification requirement
- Privacy by design and privacy impact assessment requirements
- Extension of the law to cover data processors
Removal of the safe harbour ground for data transfers to the U.S.