ISO/IEC 27555

ISO/IEC 27555 — Information security, cybersecurity and privacy protection — Rules on personally identifiable information deletion [Draft]

Introduction

The standard will help companies to work toward deleting Personally Identifiable Information systematically while adhering to the “Privacy Framework” defined by ISO/IEC 29100.

The scope of the standard

In particular, the standard covers processing and storing PII, as well as other personal data, which is largely the responsibility of PII controllers.

Among the things it will not address are:

– Specific provisions in contracts and laws (GDP regulation and other privacy rules based on the OECD’s privacy principles will be incorporated);
– Deletion rules that are specific for certain types (“groups”) of PII;
– Mechanisms for deleting data, such as cloud storage;
– Protection of the deletion mechanisms; nor
– De-identification (anonymization) of data using specific techniques.

Using a standard approach may facilitate harmonized lists of the PII deletion rules for different industrial sectors and clarify IT requirements for processing personal data.

The content

The standard guides policies and procedures in 30 pages, including:

– Harmonized terminology for the deletion of PII;
– A better way to define deletion / de-identification rules;
– Documentation requirements; and
– Responsibilities, roles, and processes.

Status

In 2018, the project was launched. The standard is scheduled to be published in 2021.

The document is a Draft International Standard that has been accepted for publication.

Commentary

In addition to establishing a concept as was originally intended, the standard offers practical advice as well.

This standard describes how PII is used for various business purposes as ‘clusters,’ a fascinating but complex concept.