A.5.34 Privacy and Protection of PII
What is this control?
ISO 27001 control A.5.34 Privacy and Protection of PII ensures the organisation collects, protects, and manages personally identifiable information in compliance with privacy laws including POPIA and GDPR. The control implements Privacy by Design through data minimisation, storage limitation via Purview Retention Policies, automated PII discovery via Sensitive Information Types, encryption via Sensitivity Labels, and prevention via Data Loss Prevention.
How to implement in Microsoft 365
Implement A.5.34 with Privacy by Design by minimising PII collection to defined business purposes and applying retention policies to limit storage duration. Configure Purview Data Classification with custom and built-in Sensitive Information Types for PII patterns including ID numbers, credit cards, and passport numbers. Apply Purview Highly Confidential Restricted Protected sensitivity label to all identified PII.
Configure Data Loss Prevention policies to block unauthorised external transfer of PII. Activate Microsoft Purview Data Subject Requests tool for POPIA and GDPR right to access and right to be forgotten requests. Configure Compliance Manager with POPIA and GDPR assessments.
What an auditor looks for
Auditors will verify active Data Loss Prevention policy enforcing PII protection and blocking unauthorised transfers. They will check Purview Sensitive Information Types are configured for applicable PII types including jurisdiction-specific ID formats and credit cards. Auditors will verify Data Subject Requests module is accessible and functional for handling legal requests.
They will check active Compliance Manager assessment for POPIA or GDPR with real-time control mapping to legal requirements. Auditors will verify evidence of automated PII discovery scans across Exchange, SharePoint, and Teams.