First UK organizations certified by BSI to the global data protection scheme ahead of GDPR deadline

26 March 2018

-New certification scheme helps businesses to manage personal information securely and effectively-

BSI, the business standards company has today launched a new certification scheme to help organizations demonstrate that they are proactively protecting data and managing personal information securely and effectively. Exponential-e, Hitachi Consulting, iland and People’s Postcode Lottery are the first UK organizations to have been independently assessed by BSI and achieve certification to BS 10012: 2017 Data protection – specification for a personal information management system.

Data protection is a leading concern for organizations of all sizes and sectors, many of whom manage large quantities of sensitive data on their employees, customers and other stakeholders. In addition, the forthcoming General Data Protection Regulation (GDPR) deadline is increasing the focus on compliance and information resilience.

Likewise, millions of consumers share their personal information with businesses through multiple channels each day. Almost every point of contact a consumer has with an organization exchanges personal information – including social media and mobile apps, shopping, travel, healthcare, education, financial services and employment.

It’s therefore vital that organizations embed a culture of compliance and take a best practice approach when acquiring, storing, processing and sharing personal data. This protects their customers’ and stakeholders’ privacy whilst reducing the risks to their business. Achieving certification to BS 10012 supports an organization’s information governance strategy, helping them respond to immediate and future regulatory, legal, risk and operational requirements.

BS 10012 specifies the requirements for an organization to adopt a Personal Information Management System (PIMS). A PIMS provides a framework for maintaining and improving compliance with data protection. The standard was revised recently to align with the key principles of the GDPR, which became law on 14 April 2016 and will be mandated from 25 May 2018.

Those changes included a new definition of personal and sensitive data; restrictions on profiling using personal data; and new administrative requirements for Data Protection Officers (DPOs). Data written under a pseudonym is now specifically covered and there are stricter requirements for consent for processing. The standard also takes into account a change in law to cover data processors.

The standard also provides a comparison of key differences between the EU GDPR and UK DPA (Data Protection Act) 1998 – these include obligations on processors, right to erasure (“right to be forgotten”), the requirement for a DPO, data breach reporting timescales and fines for regulatory breaches.

To achieve certification to the standard, organizations undergo an independent assessment including a rigorous on-site audit covering all the requirements of BS 10012. The requirements include embedding the PIMS in the organization’s culture, undertaking a data inventory and analysing data flow and the appointment of a Data Protection Officer. Maintaining certification requires continual improvement of the PIMS which is regularly and independently assessed by BSI.

Jitesh Bavisi, Director of Compliance at Exponential-e Ltd said:

 “Exponential-e has been working towards GDPR compliance since January 2017. Hence, we are very pleased to have finally achieved the BS 10012 certification which adds to the existing seven ISO certifications we hold. Our certifications from BSI demonstrates to our customers our commitment to achieving excellence in everything we do – from business processes, to technical innovation and customer service. We work closely with BSI to sustain the world standard criteria our ISO certifications demand, and ultimately, they contribute to the delivery of our brand promise – Peace-of-Mind-as-a-Service.”

Hicham Abdessamad, CEO of Hitachi Consulting said:

“We are immensely proud of this recognition from the one of the world’s leading certification bodies. Our core strategic objective is to continue to explore new business models and solutions that harness the power of data for the benefit of our clients globally. Achieving this high standard for data protection is strong evidence of an embedded culture of compliance and will be a major factor for driving competitive advantage for us and our clients.

“The quality and quantity of secure personal data under our clients’ control is now one of the biggest business issues they face, and we have a unique opportunity to share the story of our own GDPR compliance journey and how clients can learn from our first-hand experience for their competitive advantage.”

Scott Sparvero, CEO of iland, the global cloud services provider, commented:

“At iland, we have always had a commitment to ensuring compliance with data protection regulations and the upcoming introduction of the EU GDPR has only strengthened that commitment. We are proud to be one of the first UK organizations to achieve certification to BS 10012 and to be leading the way in ensuring data protection in the cloud computing industry for the benefit of our global customers and partners.”

Fraser Lovell, Head of Licence and Politics at People’s Postcode Lottery said:

“Going through the BSI certification process has been an excellent journey for us. It has helped us to prepare for GDPR coming into effect and we have a clear action plan to make sure we continue to develop and improve our personal information management system.”

Anne Scorey, UK Managing Director at BSI commented:

“As consumers, we’re increasingly sharing personal information with organizations online, over the phone and in person, therefore the need for more rigorous security measures is essential. Whilst many organizations have good data security processes in place already, having their systems independently assessed by BSI will help them to demonstrate that they are committed to safeguarding personal information.

“We have a strong track record promoting excellence when it comes to cyber and information security, and are delighted to have supported the first organizations with certification to BS 10012.”

For more information, please visit

- ENDS –

Notes to Editors:
Please note this certification does not guarantee compliance with the GDPR, however the BS 10012: 2017 Data protection – specification for a personal information management system scheme ensures that an organization has taken the necessary steps to manage personal data securely and effectively.