Why Consider it?
Many organisations were busily working to meet the deadline of the GDPR May 25th, 2018. Data maps to address Article 30 were created in large volumes etc along with associated forms and templates.
The topic of data protection is not is visible as it was back in 2018. But the risks of data loss or breaches, quietly carries on. This time with greater powers within the auspices of the ICO.
Senior management of any organisation will often take a risk-based approach to compliance in general and that of data protection. But is this approach, right?
Without real tried and tested verification of the data protection controls in place, any organisation could unknowingly be sitting on infective arrangements that could haunt them further down the line.
In my recent communications with the ICO it was confirmed that there are no current plans for a third-party scheme known as Privacy Seal. This is captured under DPA Article 42. If, and when such a scheme is announced, it is likely that accredited UKAS approved certification bodies would undertake third party assessments.
Until such time BS1001 2017 + A1 2018 – Data Protection is the best place to start. It has been updated to reflect the DPA 2018 and is better organised in its layout than its 2009 predecessor. Following the Annex SL model for new Standards, the new BS10012 allows for easier integration with other management systems.
It allows an organisation to assess, benchmark and improve against the criteria set out. The added advantage is third party certification. All too often internal audit within organisations becomes ‘tick box’ led. This is dangerous and can create a distorted picture of compliance adherence.
The executive team of any organisation must remember the accountability principle under the DPA 2018. BS10012 if properly implemented and assessed by a premier UKAS certification body can help achieve this.
Marcus Allen BSc MSc AMBCS FCMI FIC Int.Dip (GRC) holds twenty-five years’ experience as a management consultant in compliance solutions. He is a Fellow of the Institute of Consultants. He has worked in the data security and data protection arenas since 2000 and has been prompting and working with BS10012 since 2009 in a variety of large volume data driven sectors.
He holds a master’s degree from a premier UK research university in ‘management learning and change’.