Article five of the DPA 2018 requires accountability for the six principles laid out in detail. The organisation must demonstrate its own arrangements thus accountability as to how it has complied with the DPA 2018.
A standard purchase & implementation of on-line purchased policies and procedures may provide the buyer with the initial comfort of compliance. But adherence with a robust piece of legislation requires leadership, commitment and time.
All to often management programmes can become rather high-level, ‘tick-box’ and ephemeral. BS10012 articulates the need for clear leadership and commitment.
For a start a PIMS (Personal Information Management System) needs to be created and approved by the most senior manager within the organisation. The policy should align with the strategic objectives of the organisation and the activities. A business considering BS10012 may already have ISO27001 for data security.
Integration of the BS10012 into the organisation’s activities is key. Using the Annex SL model adopted across other newly published British Standards and ISO publications, affords a good opportunity to embrace a new Standard without undue duplication.
Identification of the resources; e.g. skills such as DPO (Data Protection Officer) needs, additional staff training and awareness should be identified.
The senior management need to ensure that the PIMS system achieves its desired outcomes and affords protection against future data breaches or investigations.
Senior management need to promote and direct the BS10012 programme. Data loss and data breaches often occur through human error – brought about through poor training.
Management roles and responsibilities should be updated to reflect any BS10012 / PIMS responsibilities.
A new BS10012 project will require resource and careful management to ensure a successful implementation and registration by a UKAS certification body.
Marcus Allen BSc MSc AMBCS FCMI FIC Int.Dip (GRC) holds twenty-five years’ experience as a management consultant in compliance solutions. He is a Fellow of the Institute of Consultants. He has worked in the data security and data protection arenas since 2000 and has been prompting and working with BS10012 since 2009 in a variety of large volume data driven sectors.