BS 10012 Data Protection - Personal Information Management Systems

The objective of BS10012:2017 is to enable organizations to put in place, as part of the overall information governance infrastructure, a personal information management system (PIMS) which provides a framework for maintaining and improving compliance with data protection requirements and good practice. In many cases, a PIMS will address the management of personal information that is held across a wide range of operational units and information technology based application systems. Much of this personal information might also be within the scope of other management systems within the organization [e.g. quality management (BS EN ISO 9001), environmental management(BS EN ISO 14001), asset management (ISO 55001), information security management (BS EN ISO/ IEC 27001)]. Where the organization has such multiple overlapping management systems, consideration needs to be given to utilizing a common approach such as that described in this compliance framework, 


This new version of BS 10012 has been written in recognition of the publication of the European Union General Data Protection Regulation (GDPR), which was approved by the European Parliament on 14 April 2016. This replaces the European Directive (95/46/EC) on 25 May 2018, which was implemented in the UK by the Data Protection Act 1998. T

he GDPR is directly applicable to the UK and member states retain the ability to introduce national level derogations, where these are required for specific purposes. The UK has recently introduced the Data Protection Act 2018 which specifically references the GDPR. Compliance with EU and UK data protection legislation is monitored, regulated and enforced by the Information Commissioner (the UK's "supervisory authority"), who is responsible for promoting the protection of personal information. The Information Commissioner promotes good practice by the issue of guidance, rules on eligible complaints, provides information to individuals and organizations (acting as controllers and/or processors) and takes appropriate action when the law is broken. The Information Commissioner has powers to investigate complaints, make assessments as to whether processing is compliant with the national legislation, and issue information and enforcement notices. This British Standard is drafted using the rules specified for management system standards in the ISO Directives, Annex SL, and follows the common high level structure