As with all management Standards BS10012 require the most senior member of the management team to create a PIMS (Personal Information Management Policy).

This should be relevant to the organisation and consider its scope and context. Corporate data protection principles should be set. This is a similar requirement with other Standards.

Consideration of stakeholder needs and expectations with regards to data protection would be a beneficial theme within a newly developed policy.

Continual improvement is required. The management team might consider PIMS processes that can be monitored or benchmarked for improvement.

The policy should also set out why the organisation is embracing BS10012. Primarily this might be to afford customers with ‘trusted partner’ assurance.          

The policy should address which data protection regulations are being adhered to. Plus, how strict adherence to processing personal data only where necessary for legal requirements. Or for legitimate interests.

Agreeing to processing only the minimum amount of data that is necessary. The PIMS policy should also make clear transparency notifications with regards how personal data is used & by whom.

The policy should further articulate: the maintenance of data inventories Article 30. Keeping data accurate, retaining personal data for as long is required, keeping data secure, transfers of data outside the UK, protection of data in transit, dealing with regulators across the EU, identification of interested parties.

The policy should identify key responsible workers within the organisation with regards accountability.

It is wise to get feedback from key stakeholders on the newly created PIMS policy prior to authorisation.        

Once formulated the policy needs to be documented, although this might be located on a web-site or intranet for customers, stakeholders and employees to view. The policy must be communicated and accepted by entire organisation and monitored regularly.

Marcus Allen BSc MSc AMBCS FCMI FIC Int.Dip (GRC) holds twenty-five years’ experience as a management consultant in compliance solutions. He is a Fellow of the Institute of Consultants. He has worked in the data security and data protection arenas since 2000 and has been prompting and working with BS10012 since 2009 in a variety of large volume data driven sectors.

Please Contact Us