This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.34 Privacy and protection of PII
ISO 27001: 2022 Control Description
The organisation shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Purpose
To ensure compliance with legal, statutory, regulatory, and contractual requirements related to the information security aspects of protecting PII.
Guidance
The organisation should establish and communicate a topic-specific policy on privacy and the protection of PII to all relevant interested parties.
The organisation should develop and implement procedures for preserving privacy and protecting PII. These procedures should be communicated to all relevant interested parties involved in processing PII.
Compliance with these procedures, as well as with all relevant legislation and regulations concerning the preservation of privacy and protection of PII, requires clearly defined roles, responsibilities, and controls. This is often best achieved by appointing a responsible individual, such as a privacy officer, who should provide guidance to personnel, service providers, and other interested parties on their individual responsibilities and the specific procedures that must be followed.
Responsibility for handling PII should be managed in accordance with relevant legislation and regulations. Appropriate technical and organisational measures to protect PII should be implemented.
Other Information
Many countries have introduced legislation that places controls on the collection, processing, transmission, and deletion of PII. Depending on the respective national legislation, such controls can impose duties on those collecting, processing, and disseminating PII and can also restrict the authority to transfer PII to other countries.