ISO/IEC 27001 Control 5.34: Privacy and protection of PII


The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.


ISO27002 guidance for this control is surprisingly brief, given the scope, depth and impact of privacy to cybersecurity field. The guidance refers to other ISO documents, and especially to relevant legislation and regulations. General data protection regulation (GDPR) enacted by European Union is a prime example of such legislation. It sets requirements, expectations and best practices that are worth following even in international context.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint provides features that are necessary for maintaining privacy at scale, especially when dealing with consumer identities, external collaborators and similar broad user communities.

Implementation Details

MidPoint is built specifically to work with personal data, keep the data consistent, control transfer of personal data and enforce policies. As such, it has absolutely crucial role in establishing and maintaining of privacy practices in organizations, especially if the privacy is to be applied consistently at scale. The core of the functionality is formed around common identity model (common schema) that midPoint brings for identities. Common identity model gives meaning to all the identity data, allowing establishment of policies on their appropriate use. For example we know which attributes contain personally identifiable information (PII), therefore we can control its distribution and use. This is further refined by identity lifecycle mechanism, controlling use and storage of data at certain states of identity lifecycle. For example, data regarding archived identities can be automatically reduced to the necessary minimum (information erasure). Projection links are used in midPoint to track copies of information, which is essential for keeping records about copies of personal data. The links are efficiently creating information inventory for personal data. Provisioning mechanism can be used to set up appropriate extent of personal data to target systems. Even more importantly, it can also be used to delete (deprovision) the data when not needed. Provisioning, together with synchronization mechanisms are essential for keeping all copies of personal data up-to-date, which is a common requirement of privacy regulations. Assignments can be used to track application of legal bases for information processing, represented by roles and services (applications). Assignment can also be used as a reflection of user consent, making sure that all information provisioned at the time consent was given is properly deprovisioned when consent is revoked. Integral documentation (midScribe) can be used to document the legal bases for information processing as they are associated with roles and services. This is especially useful for documenting business roles and archetypes, as they usually convey information about legal bases (e.g. employee archetype as representation of employment contract as a legal basis). Object metadata can be used to record origin of objects, documenting legal provenance of processed information. This can be further extended by value metadata, which document provenance of every individual data item and value. Use of location information and classifications, together with policy rules, can be used to avoid illegal transfer of personal information, e.g. making sure that personal information is copied only to applications located in European Union. Authorizations can be used to limit access to personal information within midPoint, controlling access at very fine level. Audit trail is used to record all activities regarding use and copies of personal information within the reach of midPoint deployment.

Implementation Notes

  • Retention of audit log data may be limited by privacy regulations.

  • Very common misconception is that privacy is all about secrecy of personally identifiable information (PII). This belief is wrong in all of its aspects. Firstly, privacy is not just about secrecy of information. Privacy is primarily concerned about appropriate use of information. The sole fact that an organization legally posses personal data does not entitle the organization to unlimited processing of the data. Secondly, privacy is not just about personally identifiable information, such as national identifiers. Privacy is concerned with much broader concept of personal data, which includes information that may not be necessarily identifiable, such as information about gender or medical condition of subjects. Overall, understanding the nature of privacy is much more complex than it may seem. Consultation with a privacy professional is more than recommended.


While privacy and personal data can be managed manually in smaller organizations, midPoint is absolutely essential for large organizations. The minute details of personal data management cannot be easily tracked and managed when number of identities, identity types, roles and policies grows. Automation and policy-based approach is the only feasible option.

Was this page helpful?
Thanks for your feedback