During 2016 and early 2017 I have had the privilege of working on a British Standards Institution committee alongside a number of others with great expertise in the management of personal information and compliance with the existing and new legislation in this area.
This has resulted in a new version of BS 10012 that supersedes the 2009 version, which was based on the European Directive (95/46/EC), which was implemented in the UK by the Data Protection Act 1998. The new version addresses European Union General Data Protection Regulation (GDPR) which has now been adopted across the EU and will replace the current Data Protection Act on 25th May 2018, well before the United Kingdom completes the Brexit withdrawal from the EU.
Whilst speculation is rife as to what will happen regarding UK law after Brexit, it is clear that the UK legislation will retain the controls required by the GDPR relatively unchanged following Brexit. What is less clear is how personal information of UK and EU citizens is to be transferred between the UK and the EU and the rest of the world and vice versa without falling foul of either UK or EU law. Also unclear is how the rights of the individual are to be addressed following non-compliance in situations involving cross-border transfers.
In spite of this somewhat grey area of territorial applicability, compliance with BS 10012 will ensure organisations are well positioned against the new legislation, both before and after Brexit. Being prepared for the legislation is not simply a matter of avoiding or minimising the impact of fines (although the size of fines that can be imposed under GDPR is enough to make most C-suite members sit up and take notice); it is good business practice and the benefits of improved information management that will result from proper preparedness will normally far outweigh the costs of compliance.
Therefore, there is every reason to use BS 10012 as part of the process to be prepared for GDPR and following its clear guidelines enable the organisation to:
- Identify personal information used within the organisation
- Ensure that the requirements for consent for processing, sharing and transferring that personal information are met
- Identify risks to the personal information held and put controls in place to manage or reduce these risks
- Gain stakeholder and customer trust and safeguard organisational reputation
- Benchmark the organisation's personal information management practices against recognised good practice
BS 10012 is available from the BSI shop here.