This article was first published at quality.org
Let’s remind ourselves of the situation regarding data protection in the UK.
First up is the flavour-of-the-month General Data Protection Regulations (GDPR). This is an EU regulation and directly applies to all European Union member states, including the UK, at least until Brexit (and almost certainly beyond).
Second, running in parallel with this, is the UK’s new Data Protection Act 2018. GDPR stole the limelight so this new legislation, which received Royal Assent in May 2018, attracted less attention.
At the moment DPA and GDPR are very similar in application but the main difference is DPA is UK Legislation while GDPR is European Regulation. The difference is UK Legislation is much more subject to British Case Law whereas the GDPR is not. Over time precedent and Judge-made law will apply more and more to the DPA. What are now “identical twins” may begin to develop identities of their own.
You may be forgiven for thinking you’ve seen the requirements of both of these before under the guise of earlier legislation, and it’s true that many of the requirements of GDPR (and DPA) are similar to previous data protection rules. But there seems to be a big difference in approach. The regulators are now talking a lot tougher. For a start, the fines are potentially massive: up to 4% of global turnover.
Should Uber ever face charges over data breaches as exposed in 2017, with a global turnover of $6.5 billion, this would amount to a fine of $260 million. Since they’ve never turned a profit, the effect could be massive.
Any charges that come against Facebook could be even more eye-watering.
Of course, we don’t know if either are likely to be prosecuted. But back in the real world, the lesson could be serious for small and medium-sized businesses who have less legal resources to fight any charges.
So, how does any business without an in-house team of lawyers and data protection specialists manage to understand a document that has 99 articles (rules) and 173 citations (commentaries)? How do you know what applies to you and what you need to do?
Thankfully, there may be a simpler solution to managing your data protection challenges, in the shape of a British Standard which has slipped under the radar.
The snappily named BS 10012:2017 Data Protection — Specification for a Personal Information Management System is a re-written version of an earlier standard that is specifically designed around GDPR. Many of the clauses and requirements directly refer to the regulation.
It’s mercifully shorter than the GDPR regulations and, if you implement the system, you should be well on your way to providing your organisation with solid foundations in your quest to achieving GDPR (and DPA) compliance. There’s no guarantee of course, but right now, it’s the best system out there.
For those who already have ISO management systems (such as ISO 9001 or ISO 27001 for example) the structure is familiar and can be integrated into existing systems, thanks to Annex SL which facilitates the integration of different management system standards. Naturally, the standard works particularly well with the ISO 27001 Information Security Management System.
It should be pointed out that GDPR does encourage some sorts of certification. Citation 77 states:
“Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications…”
At the moment just what these “approved certifications” will be hasn’t been finalised but 10012 is a pretty good candidate.
Also, at the moment, national accreditation bodies like UKAS haven’t agreed their position with respect to BS 10012.
However, some organisations have already sought and obtained certificates for BS 10012. Alcumus ISOQAR has already taken some clients through their Stage 1 and Stage 2 resulting in certification and will be carrying out first surveillances soon. The main motivation behind these organisations seeking certification was to assist with GDPR compliance.
While no standard (or certification) can guarantee you compliance with any regulation or law, BS 10012 does at least give an organisation a structure. And if the worst comes to the worst and you find yourself under investigation, you can point to a systematic approach. This will at least stand as mitigation and perhaps take the sting out of any prosecution.
After all, a caution or a small fine is a lot better than crippling costs, and a management system also gives you a structure to put into place your recovery and improvement plans.