ISO/IEC 29151
Information technology - Security techniques - Code of practice for personally identifiable information protection
Overview
Provides guidance on protecting Personally Identifiable Information (PII) through appropriate technical and organizational controls. Complements ISO 27701 with detailed control guidance for GDPR Article 32 security of processing requirements.
Applicability
Technical and organizational measures for protecting personal data
Relevance to General Data Protection Regulation (GDPR)
Supports GDPR principles (Article 5) and security requirements (Article 32) with detailed technical controls
Key Coverage Areas
Standard Sections & Chapters
Consent and choice
Purpose legitimacy
Collection limitation
Data minimization
Use, retention and disclosure limitation
Information security for PII
Privacy controls (based on ISO 29100 principles)
Related General Data Protection Regulation (GDPR) Articles
Article 5: Principles relating to processing of personal data
View Article →PII protection controls
Implementation Guidance:
Implement technical controls for data minimization, purpose limitation, and retention
Mapped Obligations:
- Process personal data lawfully, fairly and transparently
- Limit data collection to what is necessary (data minimization)
- Keep personal data accurate and up-to-date
- Implement appropriate security measures to protect data
Article 17: Right to erasure (‘right to be forgotten’)
View Article →Use, retention and disclosure limitation
Implementation Guidance:
Implement controls for data retention and secure deletion
Mapped Obligations:
- Delete personal data without undue delay when requested by the data subject
- Delete data immediately when consent is withdrawn and no other legal basis exists
Article 25: Data protection by design and by default
View Article →Collection limitation and data minimization controls
Implementation Guidance:
Implement technical measures for minimal data collection
Mapped Obligations:
- Build in data protection principles like data minimization from the start
- Use techniques like pseudonymization to protect personal data
- Restrict access to personal data - not accessible to unlimited people without user intervention
Article 32: Security of processing
View Article →Information security for PII
Implementation Guidance:
Implement PII-specific security controls
Mapped Obligations:
- Implement technical and organizational security measures appropriate to the risk
- Consider pseudonymization and encryption of personal data
- Ensure ongoing confidentiality, integrity, availability and resilience of systems
- Regularly test and evaluate security measures effectiveness
Quick Information
- Organization
- ISO/IEC
- Category
- PII Protection
- Certification
- Not available