GRCWatch
Sign inStart free trial

ISO 27001 Control 5.34: Privacy and Protection of Personal Identifiable Information

ISO 27001 control 5.34 requires your organization to identify and enforce privacy safeguards for personal identifiable information (PII) across all applicable legal, regulatory, and contractual obligations. Failing to establish clear PII protection policies exposes your business to regulatory fines, reputational damage, and customer trust erosion. This control forms the foundation of compliant data handling across your entire operation.

What this means

Control 5.34 mandates that organizations actively identify all PII in their systems and implement protective measures aligned with governing laws (GDPR, CCPA, HIPAA, etc.), industry standards, and customer contracts. PII includes names, addresses, email addresses, phone numbers, social security numbers, payment information, and any data that can identify an individual. The control requires you to know what data you hold, where it's stored, who can access it, and how it's processed—with documented policies and procedures in place.

How to comply

  1. 1.Conduct a data inventory audit to identify all PII collected, processed, stored, and transmitted across your organization
  2. 2.Document all applicable privacy laws and regulations relevant to your business (GDPR, CCPA, HIPAA, local data protection acts)
  3. 3.Review all customer contracts, service agreements, and vendor agreements for privacy and data protection requirements
  4. 4.Develop and publish a privacy policy that clearly outlines what PII you collect, how it's used, stored, and protected
  5. 5.Implement access controls to restrict PII access to authorized personnel only with defined job roles
  6. 6.Establish data retention and deletion policies aligned with legal requirements and contractual obligations
  7. 7.Create incident response procedures specifically for PII breaches with clear escalation paths
  8. 8.Conduct staff training on privacy obligations, handling of sensitive data, and reporting procedures
  9. 9.Perform regular privacy impact assessments when introducing new systems, processes, or data handling practices
  10. 10.Document all privacy controls, policies, and procedures for audit and compliance demonstration

Evidence auditors look for

  • Privacy policy document signed off by legal and management
  • Data inventory spreadsheet mapping all PII, storage locations, retention periods, and access controls
  • Completed privacy impact assessments (PIAs) for new systems or processes
  • Employee privacy training completion records and acknowledgment signatures
  • Access control matrices showing role-based PII permissions
  • Data processing agreements with vendors who handle PII
  • Retention and destruction schedule documentation with execution logs
  • Privacy breach response plan and incident log records
  • Regular privacy compliance audit reports
  • Data classification policy defining what constitutes PII in your organization

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates PII data inventory discovery, maps your control gaps against applicable privacy laws, and centralizes policy management with version control—eliminating manual spreadsheet tracking and reducing compliance mapping time from weeks to days.

See how GRCWatch handles this control automatically

Start free trial

Related controls

ISO 27001 5.1 — Policies for information securityISO 27001 5.2 — Information security roles and responsibilitiesISO 27001 5.16 — Rights of individualsISO 27001 6.5 — Access controlISO 27001 8.2 — Confidentiality or non-disclosure agreementsISO 27001 8.3 — Handling of assetsISO 27001 8.26 — Restrictions on information systems facilities access