Standards Development

Scope

This British Standard will provide recommendations and guidance for the implementation of BS EN ISO/IEC 27701 in the UK context. It will support organizations of any size and sector in applying privacy information management practices in a way that aligns with UK legal, regulatory and operational requirements.

It is intended for use by those responsible for planning, implementing, maintaining and reviewing privacy information management arrangements within an organization, including data protection, privacy, compliance, information security, governance and assurance professionals. It will provide UK-specific implementation guidance to support the effective and consistent application of BS EN ISO/IEC 27701, and to give organizations, auditors and other stakeholders greater confidence in the management of personal information.

The new standard is necessary to:

• Maintain alignment with BS EN ISO/IEC 27701 while avoiding duplication or conflict with an existing international standard.

• Provide UK-specific implementation guidance in support of UK GDPR, the Data Protection Act 2018 and ICO expectations. Support organizations in applying privacy principles such as accountability, transparency, data minimisation and privacy by design in a practical and consistent way.

• Offer a clear, risk-based and operational approach to implementing privacy information management alongside related standards such as BS EN ISO/IEC 27001.

• Provide continuity for UK users currently familiar with BS 10012, while moving to a model that supports the international privacy management framework rather than duplicating it. Ensure continued usability and relevance for organizations of all types and sizes, including SMEs.

Purpose

Background and rationale:

The committee has agreed that BS 10012:2017+A1:2018 should not be revised as a standalone personal information management system standard. In order to avoid conflict with BS EN ISO/IEC 27701, BS 10012 will instead be withdrawn and replaced by a new British Standard in the form of a UK code of practice giving recommendations and guidance for the implementation of BS EN ISO/IEC 27701.

This approach follows the model used for BS 31100, which provides code of practice and guidance for the implementation of BS ISO 31000. The new standard will therefore act as a practical UK implementation guide, supporting organizations in applying BS EN ISO/IEC 27701 in a way that aligns with UK GDPR, the Data Protection Act 2018 and ICO expectations.

The Relevant TC/SC:

The developing committee is IST/33/5 – Identity Management and Privacy Technologies, operating under the direction of IST/33 – Information Security, Cybersecurity and Privacy Protection.

IST/33/5 is responsible for UK input into ISO/IEC JTC 1/SC 27/WG 5, which covers international standards for identity management, privacy frameworks and privacy-enhancing technologies. The committee oversees the preparation, publication, review and revision of relevant British Standards related to privacy and personal information management.