What is a privacy compliance framework?
The EU GDPR (General Data Protection Regulation) requires organisations to implement “appropriate technical and organisational measures” to secure the personal data they process.
They must also follow the accountability principle. This means being responsible for, and able to demonstrate their compliance with, the Regulation’s data processing principles.
This can best be achieved via a privacy compliance framework: a formal structure for managing the security of personal data.
If your organisation has not developed its own privacy compliance framework, there are currently two standards that you can use to ease your path to GDPR compliance: BS 10012:2017 and ISO/IEC 27701:2019.
Implementing these standards – and, where possible, achieving independently accredited certification – will demonstrate to regulators such as the Ireland's DPC (Data Protection Commission) that you have carried out due diligence and are doing all you can to comply with the law.
BS 10012 PIMS (personal information management system)
BS 10012:2017 is the British standard that specifies the requirements for a PIMS, and is aligned with the requirements of the GDPR.
It provides a well-defined structure for managing data protection, and is designed to follow the PDCA (plan-do-check-act) cycle to ensure continual improvement.
ISO 27701 PIMS (privacy information management system)
Certification to ISO 27001 – the international standard for an ISMS (information security management system) – demonstrates that your organisation follows information security best practice.
ISO/IEC 27701:2019 is an extension to ISO 27001 that enables organisations to account for privacy management – including their processing of personal data – in their security management activities.
Like an ISO 27001-compliant ISMS, an ISO 27701 PIMS advocates a risk-based approach, ensuring the security controls you implement are appropriate to the risks your organisation faces.
Find out more about the ISO/IEC 27701:2019 standard
What is the difference between BS 10012 and ISO 27701?
Both standards set out the requirements for a management system designed to secure the processing of personal data.
BS 10012 is aligned with the GDPR and UK DPA (Data Protection Act) 2018, so if you need to comply with those laws only, the British standard will suit your purposes.
ISO 27701, on the other hand, avoids aligning with any one specific data protection regime, which gives it much wider potential application. If you process personal data that is covered by another data privacy law, or a number of differing laws, then ISO 27701 may be a better fit for your organisation.
Likewise, if you already have an ISO 27001-compliant ISMS in place, or are in the process of implementing one, ISO 27701 makes much more sense as the two management systems are designed to be integrated.