Thursday 25 September 2014

New data protection accreditation framework launched

All eyes are currently on the British Standards Institute, as the soft launch of its new accreditation framework for BS 10012 has commenced. How quickly will it take off, bearing in mind the ICO’s intention to endorse (at least) one privacy seal scheme next year? Will organisations wait until it is clear whether this scheme has been officially endorsed by the ICO, or will they be brave and apply for BSI accreditation now?

For those not in the know, BS 10012 is the framework that sets up a personal information management system. If you need reassurance that your organisation meets the requirements of British data protection legislation, then this is the standard for you. If data controllers want to demonstrate “accountability,” they will benefit from being capable of complying with this standard.

Like all accountability frameworks, the point is that they are designed, as the BSI explains, to:
  • Identify risks to personal information and put controls in place to manage or reduce them.
  • Demonstrate compliance with data protection legislation and gain preferred supplier status.
  • Gain stakeholder and customer trust that their personal data is protected.
  • Gain a tender advantage and win new business.
  • Safeguard your organisation's reputation and avoid adverse publicity.
  • Protect you and your organisation against civil and criminal liability.
  • Benchmark your own personal information management practices with recognized best practice.

Some organisations might not want to open their internal systems up to the scrutiny of a BSI auditor until they are reasonably confident that the systems are reasonably robust. Few organisations relish the prospect of strangers poking around for dirty laundry. But they might want some help from an expert who is familiar with the standard, nonetheless.

As someone who served on the working party responsible for writing that standard, I’m in a good position to offer some useful advice.

If you are interested in a frank review of your systems (or if you just want to know what it is that the law says you ought to be doing), then please feel free to contact me.