Standards body the British Standards Institution (BSI) has updated its data protection specifications for organizations, in a move designed to align them with forthcoming European regulations and ensure they’re fit for the digital age.
BS 10012: 2017 Data protection – specification for a personal information management system has been written to provide best practice guidance for firms in this increasingly important area.
The BSI claimed it will help protect firms from fines and reputational damage which could follow non-compliance with the European General Data Protection Regulation (GDPR), set to land in May 2018.
It could also help reduce the “recovery” costs associated with data breaches, the BSI added.
The primary objective of BS 10012: 2017 is to stipulate requirements for firms to adopt a “personal information management system” (PIMS); a framework for maintaining and improving compliance with data protection requirements.
Changes to the 2009 version include a new definition of what is deemed “personal” and “sensitive” data.
A BSI spokesperson confirmed to Infosecurity Magazine that this would include things like banking and other financial info; NI numbers; info relating to vulnerable adults and children and detailed profiles of individuals, amongst other “high risk” elements.
As per the GDPR, there are also additions including restrictions on profiling consumers using personal data; admin requirements for Data Protection Officers (DPOs); coverage of pseudonymized data; enhanced right to erasure; privacy by design; the removal of Safe Harbor and security breach notification requirements.
“BS 10012 will provide organizations with structured guidance on implementing a common-sense strategy to handle personal information as securely as possible. It will also provide confidence to employees at all levels of an organization that decision-makers take the hot-button issue of data security seriously,” BSI head of governance and resilience, Anne Hayes.
“Data protection remains a leading concern for organizations of all shapes and sizes – as well as the public at large. BS 10012 addresses these concerns.”
There was a caveat from the BSI, which said it will monitor and update the standard following the UK’s withdrawal from the European Union, in case there are changes to how GDPR is implemented post Brexit.