Skip to content
AuditFront
A.5.34 ISO 27001

ISO 27001 A.5.34: Privacy and protection of personal identifiable information (PII)

What This Control Requires

The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII as required in applicable legislation and regulation and contractual requirements.

In Plain Language

A data breach involving personal information is one of the fastest ways to end up on the front page for the wrong reasons. This control is about knowing exactly what personal data you hold, understanding the legal obligations around it, and putting real protections in place.

Privacy requirements vary dramatically by jurisdiction and are only getting stricter. GDPR, CCPA/CPRA, LGPD - they all impose specific obligations around lawful basis for processing, data minimisation, purpose limitation, accuracy, storage limitation, and individual rights. Getting this wrong means regulatory fines, lawsuits, and a serious trust problem with your customers.

You need a clear picture of what PII you collect, where it is stored, how it flows through your organisation and out to third parties, and what protections each data set requires. That understanding is the foundation for everything else in your privacy programme.

How to Implement

Run a data mapping exercise first. Document what PII you collect, the data subjects involved, categories of personal data, processing purposes, legal basis, retention periods, recipients, and any international transfers. This mapping supports GDPR Article 30 records of processing activities and is the backbone of your privacy programme.

Appoint a Data Protection Officer (DPO) where required by law - mandatory under GDPR for public authorities and organisations doing large-scale processing of sensitive data. Even where not legally required, having a designated privacy lead shows commitment and gives everyone a clear point of contact.

Bake privacy into your development process from day one. Apply privacy by design and by default: integrate privacy considerations into new systems and processes from the outset, collect only the personal data you actually need, and set defaults that maximise privacy protection.

Set up procedures for handling data subject rights requests - access, rectification, erasure, restriction, portability, and objection under GDPR. Define response procedures, timeframes (one month under GDPR), and identity verification processes. Train relevant staff on handling these properly.

Implement technical and organisational measures: encrypt PII at rest and in transit, limit access to authorised personnel only, pseudonymise or anonymise where appropriate, deploy DLP to prevent unauthorised disclosure, establish breach notification procedures that meet regulatory timeframes, and conduct privacy impact assessments (DPIAs) for high-risk processing.

Put data processing agreements in place with every third party that processes PII on your behalf, meeting GDPR Article 28 or equivalent requirements. Monitor their compliance. Conduct DPIAs for any processing likely to result in high risk to individuals.

Evidence Your Auditor Will Request

  • Records of processing activities documenting PII processing across the organization
  • Privacy policy and data protection procedures
  • Data processing agreements with third-party processors
  • Data subject rights request handling procedures and response records
  • Privacy impact assessment records for high-risk processing activities

Common Mistakes

  • No comprehensive mapping of PII processing activities across the organization
  • Data processing agreements are not in place with all third-party processors
  • No procedures for handling data subject rights requests within required timeframes
  • Privacy impact assessments are not conducted for high-risk processing
  • PII is retained beyond the necessary retention period without a legal basis

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 P1.1 Related
GDPR Art.5 Equivalent
GDPR Art.24 Related
GDPR Art.25 Related
GDPR Art.32 Related
NIS2 Art.21(2)(f) Partial overlap

Frequently Asked Questions

Do we need a Data Protection Officer?
Under GDPR, yes - if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if you process large volumes of special category data. Even if none of those apply to you, having a designated privacy lead is strongly recommended. It demonstrates commitment to data protection, gives people a clear point of accountability, and auditors will look favourably on it.
What is the relationship between ISO 27001 and GDPR compliance?
ISO 27001 gives you a solid information security management framework that covers GDPR Article 32 (security of processing) well. But it does not get you full GDPR compliance on its own. GDPR adds requirements around lawful basis for processing, data subject rights, privacy by design, DPIAs, and breach notification that go beyond what ISO 27001 covers. If you want a standard that bridges the gap, look at ISO 27701 - it extends ISO 27001 specifically for privacy information management.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment