ISO 27555: Deletion of Personal Data - GDPR Compliance & Privacy

What Is ISO 27555?
ISO/IEC 27555:2021 was adopted as EN ISO/IEC 27555:2025 by the European Committee for Standardization in March 2025 - confirming its status as the European reference standard for PII deletion governance within the broader ISO/IEC JTC 1/SC 27 privacy standard family. A revision is already in development as ISO/IEC DIS 27555, reflecting the continuing evolution of the standard in response to implementation experience and regulatory developments.
The standard does not address specific legal provisions, specific deletion rules for particular categories of PII, the technical mechanisms of deletioncor de-identification techniques, it focuses exclusively on the governance framework within which deletion decisions are made, documented and executed.
ISO/IEC 27555 helps organizations delete personal data in a controlled, documented and privacy-aligned way across systems and records - Pacific Certifications
Deletion and Erasure Requirements
PII Clusters
A PII cluster is a defined grouping of PII data objects that share a common processing purpose, legal basis and consequently a common deletion rule. Rather than attempting to define deletion rules for every individual data field across every system, ISO/IEC 27555 introduces the cluster concept as an efficiency mechanism - grouping data objects that have the same retention and deletion parameters into a manageable set of clusters, each with a single defined deletion rule.
Retention Period
The retention period is the period during which PII must be kept - determined by the purpose of processing, any applicable legal retention obligation and any contractual requirement.
ISO/IEC 27555 requires that the retention period for each PII cluster is explicitly defined and documented - the starting point from which the retention period is measured (such as the end of the contractual relationship, the date of the last transaction, or the date of collection) must be clearly specified.
Deletion Period
The deletion period is the period within which PII must be deleted after the retention period has expired. This distinction is practically important - the deletion period begins when the retention period ends and defines the maximum time within which the organization must complete the deletion action.
Deletion Classes
ISO/IEC 27555 introduces a matrix of deletion classes that systematically combine abstract starting points and deletion rules - providing a structured reference framework that organizations can use to categorize all PII clusters according to their deletion parameters.
The deletion class matrix enables consistent application of deletion rules across different systems and processes by providing standardized reference categories rather than requiring bespoke deletion rules for every system.
Special Situations
ISO/IEC 27555 explicitly addresses the special situations that complicate straightforward deletion governance: modification of data objects - where a change to PII creates a new version that may have different retention parameters and need to extend period of active use - where PII that has reached the end of its retention period must be retained for a further defined period due to a new processing event; suspension of deletion - where deletion must be suspended pending resolution of a legal dispute, regulatory investigation, or litigation hold.
Practical Tip: Deletion and erasure requirements should clearly define what data must be removed, when it must be deleted, how deletion is verified and which legal exceptions apply.
Data Deletion Governance
Policy Framework
The governance framework begins with documented deletion policies - covering the organization's overall approach to PII deletion, the principles applied in determining retention and deletion periods, the roles responsible for policy ownership and implementation and the process for reviewing and updating policies as legal requirements or processing activities change.
Roles and Responsibilities
ISO/IEC 27555 defines a clear responsibility structure for PII deletion governance. The PII controller bears overall accountability for ensuring that deletion policies are defined, implemented and effective across all systems and processes handling PII - including those operated by PII processors on the controller's behalf.
Data owners within the organization are responsible for defining the retention and deletion parameters for the PII clusters within their functional domain. IT system owners are responsible for implementing the technical deletion mechanisms within their systems in accordance with the defined deletion rules.
Process for Defining Deletion Rules
ISO/IEC 27555 provides a structured process for developing deletion rules - beginning with the identification and documentation of PII clusters, progressing through the determination of applicable retention periods for each cluster, specification of the deletion period following retention expiry and assignment of each cluster to a deletion class.
This process must be documented and maintained as the organization's PII deletion concept - a living document that is updated as new processing activities are introduced, existing activities change, or applicable legal requirements are revised.
Deletion Across Organizational Boundaries
ISO/IEC 27555 addresses the challenge of ensuring deletion across the full data processing ecosystem - including PII held by PII processors and sub-processors acting on the controller's behalf.
The standard requires that PII processors implement deletion procedures consistent with the controller's deletion rules - and that processor deletion obligations are specified in the data processing agreement governing the controller-processor relationship.
Writer’s view: Deletion and erasure requirements should clearly define what data must be removed, when it must be deleted, how deletion is verified and which legal exceptions apply.
GDPR Article 17 Alignment
Article 17 - Right to Erasure
GDPR Article 17 gives data subjects the right to request erasure of their personal data where: the data is no longer necessary for the purpose for which it was collected; consent has been withdrawn and there is no other legal basis for processing; the data subject objects to processing under Article 21 and there is no overriding legitimate interest; the data has been unlawfully processed; erasure is required by applicable law; or the data was collected in relation to the offer of information society services to a child.
Article 5(1)(e) - Storage Limitation Principle
Beyond the individual right to erasure, GDPR's storage limitation principle requires that personal data is not retained longer than necessary for the purpose for which it was collected - imposing a general obligation on controllers to define retention periods for all personal data and to delete data when the applicable retention period expires.
Demonstrating Accountability
GDPR's accountability principle - Article 5(2) - requires that controllers are not only compliant but able to demonstrate compliance. ISO/IEC 27555's documentation requirements - covering the PII deletion concept, deletion rules for each PII cluster, records of deletion execution and records of erasure request handling - provide exactly the evidence base needed to demonstrate to data protection authorities, data subjects and auditors that deletion governance is systematic, consistent and effective.
Legal Basis for Retention Overriding Erasure
GDPR Article 17(3) provides that the right to erasure does not apply where retention is necessary for specific purposes - including compliance with a legal obligation requiring processing under EU or member state law, for archiving in the public interest, for scientific or historical research, or for the establishment, exercise, or defence of legal claims.
Practical Tip: Use ISO/IEC 27555 to support GDPR-aligned deletion practices, including data minimization, storage limitation and right-to-erasure workflows.
ISO 27555 Implementation Controls
Backup and Archive Management
Backup and archive copies present one of the most significant practical challenges in PII deletion governance - they typically lag the primary system deletion cycle, may contain PII long after it has been deleted from operational systems and are often not individually searchable or selectively deletable.
ISO/IEC 27555 requires that backup deletion is addressed explicitly in the organization's deletion policies - defining how backup cycles are managed relative to primary system deletion and ensuring that PII is not retained indefinitely in backup systems after it has been deleted from live systems.
Log and Audit Trail Management
System logs and audit trails frequently contain PII - IP addresses, usernames, transaction data and access records - that must be subject to defined retention and deletion rules.
ISO/IEC 27555 requires that log retention is explicitly addressed in the deletion policy - balancing the information security need to retain logs for incident investigation and forensic purposes against the privacy obligation to delete PII when it is no longer needed for its original purpose.
Transmission Systems
Email systems, messaging platforms and document sharing systems present particular deletion challenges - PII may exist in multiple copies across sender and recipient systems, in transit copies and in archived communications and may be replicated across multiple geographic locations.
Repair, Dismantling and Disposal of Systems
When IT equipment is repaired by third parties, refurbished, or disposed of at end of life, PII on storage media may be exposed to unauthorized access. ISO/IEC 27555 requires that deletion of PII from storage media is addressed in the equipment disposal and maintenance procedures - ensuring that data is securely removed from all storage media and that evidence of secure deletion is documented.
Everyday Business Life
ISO/IEC 27555 recognizes that PII deletion is not only a system-level activity - it also arises in everyday working practices, including the deletion of emails, physical destruction of paper documents, clearing of whiteboards and shared workspaces and removal of PII from shared network drives and collaboration tools.
Practical Tip: Strong implementation controls should define who approves deletion, which systems are covered, how deletion is verified and what evidence must be retained.
ISO 27555 Recordkeeping
The PII Deletion Concept Document
ISO/IEC 27555 requires that each organization develops and maintains a documented PII deletion concept - the master governance document that defines the organization's deletion framework.
The deletion concept must cover the complete inventory of PII clusters, the retention period and deletion period specifications for each cluster, the deletion class assignment, the starting points for retention period measurement and the special situation handling procedures.
Records of Deletion Execution
Organizations must maintain records demonstrating that deletion has been executed in accordance with defined deletion rules - providing evidence that PII was actually deleted within the specified deletion period after the retention period expired.
These records are the primary evidence used to demonstrate storage limitation compliance to data protection authorities and are essential in the event of regulatory investigation or data subject complaint about unlawful retention.
Records of Erasure Request Handling
Where PII is deleted in response to an individual's erasure request under GDPR Article 17 or equivalent provisions of other privacy regulations, the handling of each request must be documented - recording the request received, the assessment of whether the request is valid and whether any exception applies, the deletion action taken across all systems holding the relevant PII and the response provided to the data subject confirming deletion or explaining the basis for refusal.
Processor Deletion Records
Where PII is processed by PII processors on behalf of the controller, the controller must maintain evidence that processors have fulfilled their deletion obligations - either through processor-provided deletion certificates or through audit of processor deletion procedures.
The data processing agreement must specify the documentation that the processor is required to provide as evidence of deletion compliance.
Practical Tip: Keep deletion records clear enough to prove what was deleted, when it was deleted, who approved it and how verification was completed, without storing unnecessary personal data.
How ISO 27555 is related to ISO 27701?
ISO/IEC 27701 as the Governance Framework
ISO/IEC 27701 extends ISO/IEC 27001 to cover privacy information management - providing the certifiable management system framework within which all privacy governance activities, including PII deletion, are planned, implemented, monitored and improved.
ISO/IEC 27701 Annex B - the PII controller guidance - includes controls directly relevant to PII deletion, including controls on the retention of PII, the deletion or anonymization of PII and the handling of erasure requests from PII principals.
ISO/IEC 27555 as the Operational Implementation Guide
For organizations that have implemented ISO/IEC 27701 and are seeking detailed operational guidance on how to implement the deletion-related controls of their PIMS, ISO/IEC 27555 provides exactly the structured methodology needed.
The PII cluster concept, deletion class matrix and deletion concept documentation requirements of ISO/IEC 27555 directly operationalize the storage limitation and erasure controls required by ISO/IEC 27701 - providing the PII deletion-specific detail that ISO/IEC 27701 does not itself contain.
The ISO Privacy Standard Ecosystem
ISO/IEC 27555 sits within the broader ISO privacy standard family alongside ISO/IEC 29100 - the privacy framework providing foundational principles - ISO/IEC 27701 - the certifiable privacy information management system - ISO/IEC 27018 - the code of practice for PII protection in public cloud services - and ISO/IEC 29134 - the guidelines for privacy impact assessment.
Practical Tip: Use ISO/IEC 27555 to strengthen personal data deletion controls within an ISO/IEC 27701 privacy information management system.
ISO 27555 Certification Cost
The incremental cost of ISO/IEC 27555 implementation is primarily an internal effort cost - the time required to develop the PII deletion concept document, define deletion rules for each PII cluster, implement deletion procedures across IT systems and establish the recordkeeping framework.
For organizations with an existing PII data inventory and processing register developed as part of GDPR compliance or ISO/IEC 27701 implementation, this incremental effort is manageable - the cluster definition and deletion rule specification work builds directly on the existing processing register.
For organizations building a PII governance program from scratch, the combined ISO/IEC 27001, ISO/IEC 27701 and ISO/IEC 27555 implementation program represents a comprehensive privacy governance initiative with corresponding resource requirements.
Cost planning should consider data volume, system complexity, number of locations, processor involvement, privacy maturity and selected ISO audit scope.
ISO 27555 Certification Timeline
The PII cluster identification and deletion concept documentation activities are best aligned with the PII data mapping and processing register development that ISO/IEC 27701 requires - avoiding duplication by conducting a single comprehensive PII inventory exercise that supports both the processing register and the deletion concept simultaneously.
For organizations that already hold ISO/IEC 27001 certification and are extending to ISO/IEC 27701 - adding ISO/IEC 27555 deletion governance takes typically 6 to 10 weeks within the broader PIMS implementation program of 4 to 6 months.
The most time-consuming element is typically the PII cluster definition and deletion rule specification work - which requires structured engagement with data owners across the business to map PII holdings, agree retention periods and document deletion rules for each cluster.
Assigning data owners for each functional domain with clear accountability for defining and validating the deletion rules for their PII clusters and conducting the deletion concept review alongside the ISO/IEC 27701 PIMS internal audit, are the most effective ways to maintain program momentum.
How Pacific Certifications Can Help?
Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021. Our services for organizations implementing PII deletion governance include:
Independent certification audits for ISO/IEC 27701, ISO/IEC 27001, ISO 9001 and ISO 22301
Integrated management system audits covering multiple standards in coordinated, efficient audit visits
Stage 1 and Stage 2 audit execution across technology, financial services, healthcare and professional services organizations
Clear, transparent audit reports with conformity findings and certification decisions
Issuance of internationally recognized ISO certificates upon successful audit completion
Annual surveillance and triennial recertification audits to maintain certificate validity
Contact Us
To get started with your privacy certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096.
For training programs, contact us at trainings@pacificcert.com.
Also read: ISO/IEC 27701 Certification: Privacy Management System & GDPR Compliance Guide
