ISO/IEC 27555 — Information technology — Security techniques — Establishing a PII deletion concept in organizations [DRAFT]
This standard will lay out a conceptual framework for deletion of PII (Personally Identifiable Information). It will offer guidance on establishing policies that embrace concepts presented by specifying:
- Standard terminology for PII deletion;
- An approach for defining efficient deletion/de-identification rules;
- Required documentation; and
- Roles, responsibilities and processes.
Scope of the standard
The standard is intended for organizations that store and process PII (“and other personal data”).
It will not address:
- Specific provisions in laws and contracts;
- Specific deletion rules for particular types of PII;
- Deletion mechanisms including those for cloud storage;
- Security of the deletion mechanisms; nor
- Specific techniques for de-identification of data.
The standard will enable organizations to meet the increasing demands of privacy/data protection regulation, supporting them in fulfilling the requirements.
Standardizing the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data.
Content of the standard
The project has just started (June 2018).
The outline goes beyond merely ‘establishing a concept’: it looks to me as if it will offer fairly specific guidance - which, to this pragmatist, sounds much more useful than ‘establishing a concept’.
When released, “PII” in the title may have to be expanded.
< Previous standard ^ Up a level ^ Next standard >