07 June 2017

Among the changes from the 2009 version of BS 10012 is a new definition of personal and sensitive data.

BSI (British Standards Institution) has updated its specifications for data protection.

The business standards company developed BS 10012:2017 to provide best practice guidance for leaders responsible for the management of personal information systems.

The revised version of the standard specifies requirements for an organisation to adopt a personal information management system (PIMS).

It says this provides a framework for maintaining and improving compliance with data protection requirements. The standard is also intended to provide clear guidance for internal and external assessors on assessing compliance with data protection requirements. It is applicable to organisations of all sizes and sectors. 

Changes from the 2009 version of BS 10012 include a new definition of personal and sensitive data; restrictions on profiling using personal data; and new administrative requirements for data privacy officers.

Data written under a pseudonym is now specifically covered, and there are stricter requirements for consent for processing. The revised standard also takes into account a change in the law to cover data processors.

Many of the changes in the latest version have been written in recognition of the EU General Data Protection Regulation (GDPR) which became law in April 2016. The GDPR will be directly applicable to the UK and EU member states on 25 May 2018.

“BS 10012 will provide organisations with structured guidance on implementing a common sense strategy to handle personal information as securely as possible.” says Anne Hayes, head of governance and resilience, BSI.

“It will also provide confidence to employees at all levels of an organisation that decision-makers take the hot-button issue of data security seriously.”