GDPR Certification. Is that possible?
Well it is now. The British Standard BS10012 2017 provides a specification for a personal information management system (PIMS) and if you implement this you would also be able to get a 3rd party certification body, such as BSI for example, to come and audit as well as certify your compliance with the standard.
Of course you might not want to go through certification, but if you are looking at ensuring compliance with GDPR this standard would be a great help even without certification.
So what is in the standard?
Great news, the structure is similar to other management system standards such as ISO 27001 or ISO 9001. This means that if you already have a management system, that complies with one of these ISO standards, then you would recognise a large part of this PIMS standard including:
- Context of the organization
- Leadership
- Planning (which includes risk management)
- Support
- Operation
- Performance evaluation
- Improvement
Of course, each of these areas would need to be considered with personal information and the GDPR in mind. Specifically, chapter 8 is a large part of the standard where you will be required to consider areas such as:
- Key appointments (including Data protection office / DPO)
- Identifying and recording uses of personal information
- Risk assessment and treatment
- Training and awareness
- Keeping PIMS up to date
- Fair, lawful and transparent processing
- Processing for specific legitimate purposes
- Adequate, relevant and in line with data minimization principles
- Retention and disposal
- Security issues
- Rights of natural persons
Should I use this standard?
Of course. We all must comply with GDPR. Some might be further down this route than others, but this standard would be a great help for anybody that is looking to cut through all of the GDPR hype and have a tool that would guide you through the project.
Whether or not to go through certification is a different matter. If you are in a business where your customers are asking you to demonstrate GDPR compliance, then this should definitely be something to consider.
So, if you are considering BS10012 call us now (+44 (0)20 8798 9282) to discuss, how we can help you design and implement a great Personal Information Management System (PIMS) and avoid all the pitfalls.
For further information that might be of interest please also see: