Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)

The standard contains guidelines for developing and establishing policies and procedures for deletion
of PII in organizations by specifying:
—   a harmonized terminology for PII deletion;
—   an approach for defining deletion rules in an efficient way;
—   a description of required documentation; and
—   a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII are stored or processed.
This document does not address:
—   specific legal provision, as given by national law or specified in contracts;
—   specific deletion rules for particular clusters of PII as are to be defined by PII controllers for
—   processing PII;
—   deletion mechanisms;
—   reliability, security and suitability of deletion mechanisms;
—   specific techniques for de-identification of data.

Informationssicherheit, Cybersicherheit und Datenschutz - Richtlinien zur Löschung persönlich identifizierbarer Informationen (ISO/IEC 27555:2021)

Sécurité de l’information, cybersécurité et protection de la vie privée - Lignes directrices relatives à la suppression des données à caractère personnel (ISO/IEC 27555:2021)

Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Smernice o izbrisu osebnih podatkov (ISO/IEC 27555:2021)

First edition
Information security, cybersecurity
and privacy protection — Guidelines
on personally identifiable information
Sécurité de l’information, cybersécurité et protection de la
vie privée — Lignes directrices relatives à la suppression des
informations personnellement identifiables
Reference number
ISO/IEC 27555:2021(E)
© ISO/IEC 2021
ISO/IEC 27555:2021(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms.3
5 Framework for deletion . 3
5.1 General . 3
5.2 Constraints. 4
5.3 Clusters of PII . 4
5.4 Retention period and regular deletion period . 5
5.4.1 Retention period . 5
5.4.2 Regular deletion period . 5
5.4.3 Allocation of clusters of PII . 6
5.5 Archives and backup copies . . 6
5.6 Standard deletion periods, starting points, deletion rules and deletion classes . 7
5.7 Special situations . 7
5.8 Documentation of policies and procedures . 8
6 Clusters of PII . 8
6.1 General . 8
6.2 Identification . 9
6.3 Documentation . 10
7 Specification of deletion periods .10
7.1 Standard and regular deletion periods . 10
7.2 Regular deletion period specifications . 11
7.3 Standard deletion period identification . 11
7.4 Deletion period specifications for special situations .12
7.4.1 General .12
7.4.2 Modification of data objects .12
7.4.3 Need to extend period of active use . 13
7.4.4 Suspension of the deletion . 13
7.4.5 Backup copies . 13
8 Deletion classes .14
8.1 Abstract starting points — abstract deletion rules . 14
8.2 Matrix of deletion classes.15
8.3 Allocation of deletion classes and definition of deletion rules . 16
9 Requirements for implementation .16
9.1 General . 16
9.2 Conditions for starting points outside IT systems . 18
9.3 Requirements for implementation for organization-wide aspects . 18
9.3.1 General . 18
9.3.2 Backup . 18
9.3.3 Logs . 19
9.3.4 Transmission systems . 19
9.3.5 Repair, dismantling and disposal of systems and components . 19
9.3.6 Everyday business life . 19
9.4 Requirements for implementation for individual IT systems . 20
9.5 Deletion in regular manual processes . 21
9.6 Requirements for implementation for PII processor . 21
9.7 Control deletion in special cases . 21
9.7.1 Exception management . 21
© ISO/IEC 2021 – All rights reserved

ISO/IEC 27555:2021(E)
9.7.2 Further sets of PII . 22
10 Responsibilities . .22
10.1 General .22
10.2 Documentation .23
10.3 Implementation . . 24
Bibliography .25
© ISO/IEC 2021 – All rights reserved

