ISO/IEC 27555 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion [DRAFT]
This standard will guide the deletion of Personally Identifiable Information using a systematic approach supporting ISO/IEC 29100 “Privacy framework”.
Scope of the standard
The standard is intended for organizations that store and process PII “and other personal data”, in particular PII Controllers who are largely accountable for compliance.
It will not address:
- Specific provisions in laws and contracts (although it will reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles);
- Specific deletion rules for particular types (“clusters”) of PII;
- Deletion mechanisms such as those for cloud storage;
- Security of the deletion mechanisms; nor
- Specific techniques for de-identification (anonymisation) of data.
Standardizing the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data.
Content of the standard
In ~38 pages, the standard will offer guidance on policies and procedures including:
- Harmonised terminology for PII deletion;
- An approach for defining efficient deletion/de-identification rules;
- Required documentation; and
- Roles, responsibilities and processes.
The project started in 2018. The standard is due to be published at the end of 2021.
It is currently at 2nd Committee Draft stage, with a revised title as above.
Thankfully, the standard goes beyond merely ‘establishing a concept’ as was originally envisaged, offering pragmatic advice as well.
< Previous standard ^ Up a level ^ Next standard >