Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Reading the other day that SAP SE received a global certification by British Standards Institute (BSI) for data protection and privacy1, I wanted to learn more about which GDPR certification opportunities are currently available and how far this could help to demonstrate compliance.

What Exactly Is BS 10012:17 from BSI and What Does It Provide?

It specifies a framework for implementing a personal information management system (PIMS)2 in compliance with the General Data Protection Regulation (GDPR) and mandates the implementation of such a system within corporate security programs. It describes a framework to manage the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with the GDPR.

Are ISO 27001 and BS 10012:17 Complementing Each Other?

The PIMS, also called Data Protection Management System (DPMS) under BS 10012:17, is based on Article 42 3—explicitly addressing certification mechanisms. These can prove that data protection is being observed. An Information Security Management System (ISMS) according to ISO 27001 has this also as its goal. Therefore, anyone who is accredited with ISO 27001 certification proves that he complies with a global standard in best-practice schemes of data protection.


However, the GDPR doesn’t cover only data protection, but also the rights of those concerned to personal data. For example, to be informed and explicit consent to the collection of personal data or the right to delete, correct, or migrate personal data is being required. These rights are not covered by ISO 27001 and must be implemented independently.

BS 10012 provides guidance for data inventory, some legalities for collecting and processing PII, as well as Data Privacy by Design and Default. These sections are critical to GDPR.


In addition to achieving compliance with ISO 27001, organisations should meet certain additional requirements in the GDPR that are covered by BS 10012:20174.

Either you integrate special GDPR data protection requirements— with or without BS 10012—into your ISMS according to ISO 27001, or you choose for a stand-alone DPMS, for example, with BS 10012. A management system is a good solution to meet GDPR requirements and, much more, to stay ahead of the game5.

The British Standard (BS) 10012 follows the high-level structure of all relevant ISO management system standards. For companies who are already compliant to an ISO standard, this is great news. Same structure, same core text. If needed, it can be possible to use ISO/IEC 29151 control framework and ISO/IEC 29134 for DPIA as an additional guidance for your DPMS.

Which Certificates Does SAP Have?

For SAP, it’s important that third-party certification bodies provide independent confirmation that SAP meets the requirements of international standards. Since 1998, SAP has held an ISO 9001 certificate. SAP is also certified according to ISO 27001, ISO 22301, and BS 10012. All locations worldwide work according to one common process framework, including data security and privacy regulations. SAP regularly checks compliance though internal reviews and audits.


If you want to hear more about Certifications and how SAP manages data privacy under GDPR regulation, don’t miss my interactive session with SAP’s Chief Data Protection Officer, Mathias Cellarius and BSI Board Member Howard Kerr at SAPPHIRE Orlando:

Learn More

  • Read our other GDPR-specific blogs and check out SAP’s GDPR webpage for resources and information about which SAP solutions and services could help you govern your GDPR program and manage and protect your data for sustainable GDPR compliance


NOTE: The information contained in this blog represents the author’s personal opinion and is for general guidance only and provided on the understanding that SAP is not herein engaged in rendering legal advice. As such, it should not be used as a substitute for legal consultation. SAP SE accepts no liability for any actions taken as response hereto.

It is the customer’s responsibility to adopt measures that the customer deems appropriate to achieve GDPR compliance.