ISO/IEC 27555
ISO/IEC 27555:2021 — Information security, cybersecurity and privacy protection — Guidelines on personally identifiable information deletion
(first edition)
Abstract
ISO/IEC 27555 "contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organisations by specifying: a harmonized terminology for PII deletion; an approach for defining deletion rules in an efficient way; a description of required documentation; a broad definition of roles, responsibilities and processes. ...”
[Source: ISO/IEC 27555:2021]
Introduction
This standard gives guidance on the deletion of Personally Identifiable Information using a systematic approach supporting ISO/IEC 29100’s “Privacy framework”.
Scope
The standard is intended for organisations that store and process PII “and other personal data”, in particular PII Controllers who are primarily accountable for compliance with privacy laws.
It does not address:
Specific provisions in laws and contracts (although it does reflect the general thrust of GDPR and other privacy laws and regulations based on the OECD privacy principles);
Specific deletion rules for particular types (“clusters”) of PII;
Deletion mechanisms such as those for cloud storage;
Security of the deletion mechanisms; nor
Specific techniques for de-identification (anonymisation) of data.
Standardising the approach may facilitate harmonized catalogues of PII deletion rules for industrial sectors, clarifying requirements for IT systems processing personal data.
Structure
Main sections:
5: Framework for deletion
6: Clusters of PII
7: Specification of deletion periods
8: Deletion classes
9: Requirements for implementation
10: Responsibilities
~30 pages
Status
The current first edition was published in 2021.
It is now being revised with publication of the second edition planned for mid-2027.
Commentary
The standard discusses deletion of “clusters” of PII, an intriguing yet complex concept relating to how PII is used for various business purposes.