In this ultimate how to implement guide to ISO 27001 Annex A 5.34 Privacy and Protection of PII, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Conduct Forensic Data Discovery
- 2. Construct a Granular Record of Processing Activities (RoPA)
- 3. Implement Automated Data Retention Policies
- 4. Enforce Pseudonymisation and Anonymisation
- 5. Secure PII with Column-Level Encryption
- 6. Operationalise Subject Access Requests (DSARs)
- 7. Validate Cross-Border Data Transfers
- 8. Integrate Privacy by Design into SDLC
- 9. Audit Sub-Processor Compliance
- 10. Establish Breach Notification Protocols
- ISO 27001 Annex A 5.34 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.34 is a strict data governance mandate requiring the identification, classification, and cryptographic protection of Personally Identifiable Information (PII) throughout its lifecycle. This control forces organizations to move beyond policy documents to enforce technical privacy controls, ensuring the business benefit of regulatory compliance with GDPR and reduced legal liability from data breaches.
ISO 27001 Annex A Privacy and Protection of PII Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.34. This control demands a rigorous technical and legal framework to ensure the privacy and protection of Personally Identifiable Information (PII), going far beyond simple policy declarations to require hard-coded data governance.
1. Conduct Forensic Data Discovery
Control Requirement: Identify and classify all PII held within the organisation’s systems. Required Implementation Step: Ignore user surveys. Run automated data discovery tools (using regex patterns for NI numbers, emails, credit cards) across all unstructured file servers, S3 buckets, and database schemas to locate “shadow” PII. Map these findings to your asset register.
Minimum Requirement: A scan report confirming the physical location of all PII, reconciled against the stated inventory.
2. Construct a Granular Record of Processing Activities (RoPA)
Control Requirement: Document the legal basis and purpose for processing PII (alignment with GDPR/DPA 2018). Required Implementation Step: Create a detailed register that maps specific database tables and columns to a legal basis (e.g., Consent, Contract, Legitimate Interest). Ensure this document explicitly lists the “Who, What, Where, Why, and When” for every PII data set.
Minimum Requirement: A RoPA document that references specific system identifiers (Table IDs/API endpoints) rather than vague business processes.
3. Implement Automated Data Retention Policies
Control Requirement: Ensure PII is not kept for longer than necessary. Required Implementation Step: Configure database-level retention policies (e.g., TTL indices in MongoDB, Retention Policies in SQL) to automatically purge or anonymise user data once the retention period expires. Do not rely on manual administrative deletion.
Minimum Requirement: Verified scripts or configuration settings that auto-delete PII after the defined retention period.
