Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.34 — Privacy and Protection of PII

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.34 ISO 27001ISO 27002BSI ORP.5BSI CON.2

A marketing team launches a customer analytics platform, feeding purchase histories, location data and browsing behaviour into a new cloud service. Nobody checks whether a data protection impact assessment is needed. Nobody verifies the cloud provider’s data processing agreement. Nobody confirms where the data is stored. Three months later, the supervisory authority opens an investigation. A.5.34 closes this gap by requiring that privacy protection is embedded into the organisation’s information security framework.

Privacy and information security are complementary disciplines. Information security protects data from unauthorised access, modification and loss. Privacy ensures that personal data is collected, processed and stored in accordance with the rights of the individuals it belongs to. A.5.34 brings both together.

What does the standard require?

  • Develop a privacy policy. The organisation must create and communicate a policy addressing the protection of PII, aligned with applicable privacy legislation.
  • Assign responsibilities. A designated person (e.g. DPO) must oversee PII protection. Roles and responsibilities for privacy compliance must be clearly defined.
  • Implement technical and organisational measures. Appropriate controls must be in place for every processing activity involving PII — from collection through processing to deletion.
  • Maintain a record of processing activities. The organisation must document what PII it processes, for what purpose, on what legal basis and with what safeguards.
  • Conduct impact assessments. Where processing is likely to result in high risk to individuals, a data protection impact assessment (DPIA) must be carried out before processing begins.

In practice

Map all PII processing activities. Create and maintain a record of processing activities (RoPA) that documents what personal data the organisation collects, why, from whom, where it is stored, who has access, how long it is retained and how it is deleted. This inventory is the foundation for all privacy measures.

Embed privacy in new projects. Implement a privacy-by-design process that requires a privacy assessment before any new system, application or process that handles PII goes live. This prevents the common pattern of discovering privacy issues only after deployment.

Define data deletion procedures. PII must be deleted when the processing purpose expires or the data subject withdraws consent. Implement automated deletion routines where possible and verify that deletion covers all copies — backups, logs, caches and third-party systems.

Manage processor relationships. When third parties process PII on the organisation’s behalf, data processing agreements must be in place. Verify that processors implement adequate security measures and that the contract covers audit rights, breach notification obligations and data return/deletion upon termination.

Typical audit evidence

Auditors typically expect the following evidence for A.5.34:

  • Privacy policy — approved, communicated and current
  • Record of processing activities (RoPA) — comprehensive inventory of PII processing
  • Data protection impact assessments — completed DPIAs for high-risk processing activities
  • Data processing agreements — contracts with all processors handling PII on the organisation’s behalf
  • Deletion records — evidence that PII is deleted in accordance with retention policies
  • Training records — evidence that staff handling PII have received privacy training

KPI

% of PII processing activities with implemented privacy controls

This KPI measures the coverage of privacy measures across all identified processing activities. For each processing activity in the RoPA, verify that the documented technical and organisational measures are implemented. Target: 100%.

Supplementary KPIs:

  • Percentage of processing activities with a completed DPIA (where required)
  • Percentage of data processors with a current data processing agreement
  • Number of data subject requests fulfilled within the legal deadline

BSI IT-Grundschutz

A.5.34 maps to numerous BSI modules addressing data protection and privacy:

  • ORP.5 (Compliance management) — legal compliance framework including data protection.
  • CON.2 (Data protection) — dedicated module for data protection requirements in information processing.
  • CON.1.A9, OPS.1.1.5.A5, OPS.1.1.6.A11 — data protection in system operations, logging and monitoring.
  • DER.1.A2, DER.1.A10 — privacy considerations in detection and security event management.
  • APP.1.2.A11, SYS.2.1.A42, SYS.2.2.3.A4 — application and system-level privacy controls.

A.5.34 connects privacy protection to the broader ISMS:

Sources

Frequently asked questions

What is the difference between A.5.34 and GDPR compliance?

A.5.34 addresses the information security aspects of PII protection. It requires the organisation to implement technical and organisational measures for protecting personal data. GDPR goes further with requirements for lawful basis, data subject rights, DPIAs, breach notification and international transfers. A.5.34 provides the security foundation that GDPR and similar laws build upon.

Does A.5.34 require a Data Protection Officer?

The standard itself does not mandate a DPO. GDPR and similar regulations do -- under specific conditions (public authority, large-scale processing, special categories of data). Regardless of whether a DPO is legally required, the organisation must assign clear responsibility for PII protection.

How does A.5.34 handle international data transfers?

A.5.34 requires compliance with applicable privacy legislation, which includes transfer restrictions under GDPR, UK GDPR and similar laws. The organisation must identify where PII is processed and stored, verify that adequate safeguards are in place for cross-border transfers and document the legal basis for each transfer.