Exponential‐e leads the way with global data protection certification from BSI
Company demonstrates its expertise in managing information securely ahead of GDPR deadline
The standard has a specification for a personal information management system (PIMS), which is increasingly under the spotlight ahead of the forthcoming General Data Protection Regulation (GDPR). As consumers share more data than ever with businesses, ensuring a robust and resilient data strategy is becoming an integral part of operations, brand and reputation. Achieving certification to BS 10012 supports Exponential‐e's information governance strategy, enabling them to respond to immediate and future regulatory, legal, risk and operational requirements.
Jitesh Bavisi, Director of compliance at Exponential‐e commented:
"Exponential‐e has been working towards GDPR compliance since January 2017. Hence, we are very pleased to have finally achieved the BS 10012 certification which adds to the existing seven ISO certifications we hold. Our certifications from BSI demonstrates to our customers our commitment to achieving excellence in everything we do – from business processes and technical innovation to customer service. We work closely with BSI to sustain the world standard criteria our ISO certifications demand, and ultimately, they contribute to the delivery of our brand promise - Peace‐of‐Mind‐as‐a‐Service."
BS 10012 specifies the requirements for an organisation to adopt a Personal Information Management System (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection. The standard was revised recently to align with the key principles of the GDPR, which became law on 14 April 2016 and will be mandated from 25 May 2018.
Those changes included a new definition of personal and sensitive data; restrictions on profiling using personal data; and new administrative requirements for Data Protection Officers (DPOs). Data written under a pseudonym is now specifically covered and there are stricter requirements for consent for processing. The standard also takes into account a change in law to cover data processors.
The standard also provides a comparison of key differences between the EU GDPR and UK DPA (Data Protection Act) 1998 – these include obligations on processors, right to erasure ('right to be forgotten'), the requirement for a DPO, data breach reporting timescales and fines for regulatory breaches.
To achieve certification to the standard, organisations undergo an independent assessment including a rigorous on‐site audit covering all the requirements of BS 10012. The requirements include embedding the PIMS in the organisation's culture, undertaking a data inventory, analysing data flow and the appointment of a Data Protection Officer. Maintaining certification requires continual improvement of the PIMS which is regularly and independently assessed by BSI.