BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

|
|
PUBLISHED on
21
July
2022

BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). It provides a framework for maintaining and improving compliance with data protection legislation and good practice.

The framework will help you to manage risks to the privacy of personal data and implement appropriate policies, procedures and controls.

In March 2017, BSI updated this Standard in response to the introduction of the European Union General Data Protection Regulation (GDPR).

Article 42 of the GDPR encourages the “establishment of data protection certification mechanisms…. for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”  This is exactly what BS 10012 is intended to offer.

BS 10012 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, which enables organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013.

It is also a standard which organisations can certify against.

Benefits of Implementing BS 10012:2017

By implementing and certifying your PIMS against BS 10012:2017, you will be able to:

  • Demonstrate your commitment to protecting client and stakeholder personal data
  • Identify risks to personal information and implement controls to mitigate them
  • Use the management system as part of a privacy compliance framework to demonstrate compliance with the GDPR and the Data Protection Act 2018
  • Benchmark and continually improve your management of personal data against recognised best practice
  • Protect your reputation and minimise adverse publicity
  • Gain competitive advantage when seeking and retaining business.

How do I Achieve Certification to BS 10012:2017

As stated above, BS 10012:2017 has been drafted using the rules specified for management system standards in the ISO Directives Annex SL and follows the common structure and core text as standards such as ISO/IEC 27001:2013 and ISO 9001:2015.

As one of UK’s leading implementers of ISO 27001 and with its wealth of data protection experience and expertise, URM is uniquely placed to assist you develop and implement a PIMS and achieve certification with BS 10012:2017.

These services range from conducting a gap analysis (where one of URM’s consultants will assess your existing PIMS and compare it against the BS 10012 requirement) to full lifecycle services.

URM also offers a readiness assessment service for those organisations seeking certification. With the full lifecycle implementation services, URM can assist you meeting requirements such as:

Understanding and documenting the context of the organisation (inc. determining the scope of the PIMS

Demonstrating leadership and commitment with respect to the PIMS (incl. establishing a PIMS policy)

Planning actions to address risks and opportunities (incl. defining a data inventory and data flow analysis process, a data protection impact assessment (DPIA) process and a risk treatment process)

Determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the PIMS

Implementing the PIMS (incl. conducting risk assessments and ensuring the organisation meets the principles and requirements of the GDPR* e.g. to ensure that personal information is processed fairly and lawfully and in a transparent manner )

Evaluating the performance of the PIMS (incl. conducting internal audits and management reviews

Continually improving the PIMS (incl. implementing corrective and preventive actions).

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
13/6/2022
UK International Data Transfer Agreement

DTA and the UK Addendum to the current European Commission’s SCCs re the next steps in providing a transfer tool for complying with the UK GDPR.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
5/7/2024
Oral references now count as processing for GDPR purposes (in the EU at least)

URM’s blog explores a recent ECJ ruling which dictates that oral job references are covered by the GDPR

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
10/1/2025
STAIRs: A New Standard for Social Housing Providers

URM’s blog provides a comprehensive breakdown of STAIRs, an upcoming information access standard for private sector social housing providers.

Read more
I am pleased to share my experience with the Cyber Essentials Plus (CE+) Scheme. This certification has been invaluable to Case Pilots in helping us protect ourselves from cyber threats. The comprehensive and user-friendly process provided by URM Consulting gave me a deep understanding of the latest threats, vulnerabilities and best practices in cyber security. The assessors were highly knowledgeable, experienced and able to explain each step of the process clearly and concisely. What I particularly appreciated about the CE+ scheme was its relevance to the real world. The training covered not only the fundamental principles, but also advanced techniques and strategies that are used by professionals to protect their systems and data. Achieving the certification demonstrates to our clients that we are committed to cyber security and that we have the knowledge and skills to protect their data. I highly recommend the Cyber Essentials Plus Scheme to any organisation that is serious about cyber security.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.