ISO 29100: Privacy Framework - Data Protection Principles & Implementation
Post by Alina Ansari | July, 2026

What Is ISO 29100?
Published by ISO and IEC under ISO/IEC JTC 1/SC 27 - the joint technical committee for information security - it establishes common privacy terminology, defines the actors and roles in PII processing, identifies core privacy safeguarding requirements, and specifies eleven foundational privacy principles that together provide the conceptual foundation for designing and operating privacy-respecting ICT systems and processes.
ISO/IEC 29100 is a framework standard rather than a controls standard or a certifiable management system standard - it does not prescribe specific technical or organizational measures, but provides the conceptual structure and principles within which those measures are selected, implemented, and evaluated.
The standard was amended in 2024 - published as ISO/IEC 29100:2011+Amd 1:2024 - updating the privacy principles to better align with current global privacy regulatory developments, including recognition of the accountability principle and clarification of the consent-related principles in light of experience with major privacy regulations including the GDPR. The standard applies to any natural or legal person, public or private, that handles PII within ICT systems - making it globally applicable across all sectors, organization sizes, and jurisdictions.
ISO/IEC 29100 helps organizations build privacy programs around clear PII roles, privacy principles and accountable data protection governance - Pacific Certifications
Privacy Framework Concepts
Personally Identifiable Information (PII)
PII is defined in ISO/IEC 29100 as any information that can be used to identify, contact, or locate a single person, either alone or in combination with other sources. The definition is broad and technology-neutral - encompassing obvious direct identifiers such as names, identity numbers, and contact details, as well as indirect identifiers such as IP addresses, device identifiers, location data, and combinations of attributes that, together, make an individual uniquely identifiable.
The breadth of this definition reflects the practical reality of modern data environments where seemingly innocuous data points can be combined to identify individuals.
PII Principal
The PII principal is the natural person to whom PII relates - the individual whose privacy interests are protected by the framework. ISO/IEC 29100 uses PII principal rather than the more commonly used term "data subject" to maintain alignment with a broad range of privacy regulatory frameworks across different jurisdictions.
The PII principal is the central party whose interests the privacy principles are designed to protect.
Privacy Stakeholders
ISO/IEC 29100 identifies several categories of privacy stakeholder - parties who have interests in or obligations arising from PII processing. These include PII principals whose personal information is being processed, PII controllers who determine the purposes and means of PII processing, PII processors who process PII on behalf of controllers, third parties who receive PII from controllers or processors, privacy authorities who oversee compliance with privacy obligations, and information and communication technology providers who supply the systems and infrastructure used to process PII.
Privacy Safeguarding Requirements
Privacy safeguarding requirements are the conditions that must be met to adequately protect the privacy of PII principals. ISO/IEC 29100 identifies three categories: confidentiality - ensuring that PII is accessible only to authorized parties; integrity - ensuring that PII is accurate, complete, and not improperly modified; and availability - ensuring that legitimate access to PII is maintained while preventing unauthorized access or disclosure.
Practical Tip: Start by defining PII, privacy stakeholders, safeguarding requirements and processing roles before selecting privacy controls.
PII Controller and Processor Roles
PII Controller: A PII controller is the stakeholder who determines the purposes and means by which PII is processed - making the key decisions about what personal information is collected, why it is collected, how it is used, with whom it is shared, and how long it is retained. The PII controller bears primary accountability for compliance with privacy principles and regulatory obligations.
PII Processor: A PII processor is a party who processes PII on behalf of and under the instruction of a PII controller - not for their own purposes, but to provide a service to the controller. Cloud computing providers, payroll processors, email service providers, and analytics service providers are common examples of PII processors.
The Controller-Processor Distinction in Practice: The controller-processor distinction is not always straightforward - the same organization may be a controller for some PII processing activities and a processor for others, and the roles may be concurrent where multiple parties jointly determine processing purposes.
Privacy accountability becomes clearer when organizations know whether they decide the purpose of processing or process PII on another party’s instructions.
The 11 Privacy Principles
Consent and Choice: PII should be processed only with the knowledge and freely given, specific, and informed consent of the PII principal - unless another lawful basis for processing is applicable. PII principals must have genuine choice about whether to consent to processing, and consent must be withdrawable without detriment.
Purpose Legitimacy and Specification: The purposes for which PII is collected must be legitimate, specific, and disclosed to the PII principal at or before the time of collection. Processing must be limited to the specified purposes - secondary use of PII for purposes materially different from those disclosed requires a new legal basis and new disclosure to the PII principal.
Collection Limitation: Only PII that is adequate, relevant, and limited to what is necessary for the specified purpose should be collected. The collection limitation principle directly addresses the tendency of organizations to collect more personal information than they need on the basis that it might be useful in the future - requiring instead that collection is proportionate to the defined processing purpose.
Data Minimization: The data minimization principle extends collection limitation to cover the entire processing lifecycle - not only limiting initial collection but requiring that PII is minimized, aggregated, anonymized, or pseudonymized wherever it is technically feasible to achieve the processing purpose with less personal information.
Use, Retention, and Disclosure Limitation: PII must be used, retained, and disclosed only in accordance with the specified purpose and any applicable consent. PII must not be retained longer than necessary for the purpose - retention periods must be defined and enforced - and disclosure to third parties must be governed by agreements that ensure the recipient processes PII only for purposes consistent with those for which it was originally collected.
Accuracy and Quality: PII must be accurate, complete, and kept up to date to the extent necessary for the purposes for which it is processed. Organizations must implement processes to identify and correct inaccurate PII, and must provide PII principals with mechanisms to review, correct, and update their personal information.
Openness, Transparency, and Notice: PII controllers must be transparent about their PII processing practices - providing PII principals with clear, accessible, and timely information about what personal information is collected, for what purposes, on what legal basis, with whom it is shared, and what rights the PII principal has.
Individual Participation and Access: PII principals must be able to access their personal information held by a PII controller, verify its accuracy and completeness, and have inaccurate or incomplete information corrected. This principle encompasses the right of access - which requires organizations to have technically feasible mechanisms for responding to access requests - and the right to rectification.
Accountability: PII controllers are accountable for compliance with the privacy principles - and must implement the policies, procedures, training, monitoring, and audit mechanisms needed to demonstrate that compliance. Accountability is both an internal governance requirement and an external obligation - regulators, customers, and partners may all require evidence of privacy governance effectiveness.
Information Security: PII must be protected by technical and organizational security measures appropriate to the nature of the information and the risks associated with its processing - covering unauthorized access, disclosure, modification, or destruction.
Privacy Compliance: PII controllers must ensure that their processing activities comply with all applicable privacy laws, regulations, and contractual obligations. This principle acknowledges that ISO/IEC 29100 operates alongside rather than in place of jurisdiction-specific privacy regulation - the framework's eleven principles provide the international conceptual foundation, while national and regional regulations provide the legally enforceable obligations.
Tip: Use the 11 privacy principles as a practical checklist for consent, purpose, minimization, transparency, security, accountability and compliance.
ISO 29100 vs GDPR
ISO/IEC 29100 provides the privacy framework, while GDPR creates legally binding obligations for organizations handling EU personal data.
Relation to ISO 27701
ISO/IEC 29100 provides the privacy principles and conceptual framework. ISO/IEC 27701 implements those principles in a certifiable management system - extending ISO/IEC 27001 to cover privacy information management by adding privacy-specific requirements and guidance to each clause of the ISMS standard and providing dedicated requirements for PII controllers and PII processors separately.
The role distinction of ISO/IEC 29100 - PII controller versus PII processor - maps directly to ISO/IEC 27701's controller-specific and processor-specific requirement annexes, which provide the detailed operational controls that implement the eleven privacy principles in practice.
For organizations building a privacy program, the practical relationship is: ISO/IEC 29100 provides the conceptual foundation and the principles that the program must implement - ISO/IEC 27701 provides the management system requirements and controls framework that operationalizes those principles within an auditable, certifiable governance structure - and ISO/IEC 27001 provides the underpinning information security management system on which the PIMS is built.
Practical Tip: Use ISO/IEC 29100 for privacy principles and ISO/IEC 27701 to turn those principles into a certifiable privacy information management system.
ISO 29100 Implementation Examples
Healthcare Provider: A hospital implementing ISO/IEC 29100 as the framework for its patient data privacy program maps each of the eleven principles to its existing patient data management policies.
Consent and choice is implemented through a documented patient consent process covering each category of data processing - treatment, research, and administrative purposes - with separate consent for each. Purpose legitimacy and specification drives a formal review of all data uses to confirm that each processing activity has a defined, disclosed purpose.Technology Company Processing User Data: A software-as-a-service provider implements ISO/IEC 29100 to govern its processing of user personal data - both as a controller for its direct user relationships and as a processor for its enterprise customers.
As a controller, the company implements openness, transparency, and notice through a clearly written, accessible privacy notice covering all processing activities; individual participation and access through a self-service privacy portal enabling users to access, correct, and delete their data; and use, retention, and disclosure limitation through defined data retention schedules and a third-party data sharing register.Financial Services Organization: A retail bank implementing ISO/IEC 29100 as the conceptual framework for its privacy program uses the eleven principles to structure a comprehensive privacy impact assessment methodology - applied to each new product, service, or system that involves PII processing.
The information security principle drives alignment with the bank's existing ISO/IEC 27001 ISMS - ensuring that privacy control requirements identified through the ISO/IEC 29100 framework are implemented within the ISMS control set and subject to the same governance and audit oversight.
Writer’s view: Implementation examples are useful because privacy controls look different in healthcare, SaaS, banking and other PII-heavy environments.
ISO 29100 Certification Cost
For organizations pursuing ISO/IEC 27001 and ISO/IEC 27701 together as an integrated program, the combined audit investment reflects the number of employees in scope, the number of sites, the volume and sensitivity of PII processed, and the complexity of the controller-processor relationship portfolio.
The incremental audit effort for ISO/IEC 27701 over ISO/IEC 27001 primarily covers the privacy-specific requirements: privacy risk assessment, PII controller and processor-specific controls, consent management, individual rights procedures, and cross-border transfer governance.
Cost planning should consider PII processing scope, employee count, sites, ISO/IEC 27001 status, controller-processor roles and ISO/IEC 27701 audit needs.
ISO 29100 Certification Timeline
This reflects the significant documentation work required to implement the ISO/IEC 27701 controller and processor annexes - covering data mapping, processing purpose documentation, retention schedule development, third-party processor register, and individual rights workflow design - on top of the ISMS foundation.
Assigning a dedicated privacy program owner with both technical and legal privacy knowledge, completing the PII processing inventory and data flow mapping exercise before beginning PIMS documentation, and conducting a structured internal PIMS audit before the Stage 2 certification assessment are the most effective ways to keep the combined program on track.
A Practical Tip from Pacific Certifications: Organizations can avoid delays by completing PII inventory, data flow mapping, privacy risk assessment and internal PIMS audit early.
How Pacific Certifications Can Help?
Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021. Our services for organizations implementing privacy programs include:
Independent certification audits for ISO/IEC 27701, ISO/IEC 27001, ISO 9001, and ISO 22301
Integrated management system audits covering multiple standards in coordinated, efficient audit visits
Stage 1 and Stage 2 audit execution across technology, financial services, healthcare, and professional services organizations
Clear, transparent audit reports with conformity findings and certification decisions
Issuance of internationally recognized ISO certificates upon successful audit completion
Annual surveillance and triennial recertification audits to maintain certificate validity
Pacific Certifications does not provide consultancy - our role is strictly that of an independent auditor, ensuring your certificate carries full credibility with clients, regulators, data protection authorities, and enterprise procurement bodies in every jurisdiction you operate in.
Contact Us
To get started with your privacy certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096.
For training programs, contact us at trainings@pacificcert.com.
Also read: ISO/IEC 27701 Certification in 2026
