Personal Information Management Systems (PIMS)

PIMS management for privacy and data protection compliance

A successful GDPR compliance programme necessitates robust PIMS management. 

At tlam our goal is to assist clients in utilising data in innovative and unique ways. This may entail personal data processing which by implication brings companies within the purview of data protection legislation, most notably the General Data Protection Regulation (GDPR) & Data Protection Act 2018 (DPA2018). Here we will discuss aspects of a successful PIMS that can assist with data protection compliance. In doing so this article demystifies the jargon, explains why managing personal data in an efficient way is key, what a PIMS can do for your organisation and finally how an effective PIMS feeds into an organisations' risk management strategy.

Jargon Buster

Whether your DPO (Data Protection Officer) has a robust PIMS (Personal Information Management System) in place to protect the C.I.A (Confidentiality;  Integrity and Availability of data sets) It is important to understand the rational and underlying need for a PIMS.

Why now?

The GDPR creates an onus on companies to understand and map the risks that they create for other persons personal data and, to mitigate those risks.The GDPR sets a new standard for transparency and information governance accountability. It is about moving away from viewing the law through a lens of a box-ticking exercise. It focuses on working towards a constantly evolving framework built on trust, ingraining a cultural shift towards privacy that pervades an entire organisation. 

why pims?

A definitive feature of a successful PIMS is the value of importing transparency into how companies deal with personal data – a key requirement under GDPR (Article 5(2)). A PIMS allows users to define, at a granular level, how their personal data should be used, and for what purposes, whilst simultaneously enabling an audit trail of the way this information is used. 

This allows data subjects to exert control over their information. But, implicit in this, is a comprehensive consent management functionality allowing users to withdraw their consent (subject to certain derogations and exemptions re: Article 23 GDPR & S 15 Data Protection Act 2018). Moreover, consent management – and by implication the ability to match user privacy preferences – allows for a data subject to audit their personal data. 

Especially given the numerous complex contexts and possibilities surrounding the collection and use of personal data, it is advisable companies to devote sufficient resources and time to the adoption of a suitable PIMS (not least because GDPR has been in effect since May 2018 and the failure to adequately map data flows and personal data could result in substantial fines from the UK Information Commissioner Office and, more to the point, damage to your organisation’s reputation and loss of trust from clients).


Incorporating PIMS into your overall risk management strategy is useful in its ability to delineate risk appetite and process co-ordination. Any risk management process consists of four basic processes – identify, quantify, respond and manage.

 A PIMS framework helps focus an organisation’s risk framework by identifying what personal data the data controller has, its legal basis and the how that information is used. A further benefit to a comprehensive framework with a clear scope is that the data controller is able to demonstrate compliance with the GDPR obligations surrounding data protection by design and default, transparency and accountability, security wherever data is transferred.

A report by the European Data Protection Board in 2016 highlighted that in enacting GDPR-compliant solutions, “interoperability is crucial”.  Particularly given the range of different solutions available and the technology-neutral approach the European Union has taken in enacting the GDPR. A PIMS would fail at the first hurdle if it didn’t account for user-centricity allowing individuals to port their data.

Whilst GDPR and the DPA 2018 do not explicitly require interoperable formats. Interoperability allows different systems to share information and resources. An ‘interoperable format’ is a type of format that allows data to be exchanged between different systems and be understandable to both.

Crucially, as stated by the ICO, “you are not expected to maintain systems that are technically compatible with those of other organisations. Data portability is intended to produce interoperable systems, not compatible ones”