ISO 29100: Privacy Framework - Data Protection Principles & Implementation

Post by Alina Ansari | July, 2026

ISO 29100: Privacy Framework - Data Protection Principles & Implementation

What Is ISO 29100?

Published by ISO and IEC under ISO/IEC JTC 1/SC 27 - the joint technical committee for information security - it establishes common privacy terminology, defines the actors and roles in PII processing, identifies core privacy safeguarding requirements, and specifies eleven foundational privacy principles that together provide the conceptual foundation for designing and operating privacy-respecting ICT systems and processes.

ISO/IEC 29100 is a framework standard rather than a controls standard or a certifiable management system standard - it does not prescribe specific technical or organizational measures, but provides the conceptual structure and principles within which those measures are selected, implemented, and evaluated.

The standard was amended in 2024 - published as ISO/IEC 29100:2011+Amd 1:2024 - updating the privacy principles to better align with current global privacy regulatory developments, including recognition of the accountability principle and clarification of the consent-related principles in light of experience with major privacy regulations including the GDPR. The standard applies to any natural or legal person, public or private, that handles PII within ICT systems - making it globally applicable across all sectors, organization sizes, and jurisdictions.

ISO/IEC 29100 helps organizations build privacy programs around clear PII roles, privacy principles and accountable data protection governance - Pacific Certifications


Privacy Framework Concepts

Personally Identifiable Information (PII)

PII is defined in ISO/IEC 29100 as any information that can be used to identify, contact, or locate a single person, either alone or in combination with other sources. The definition is broad and technology-neutral - encompassing obvious direct identifiers such as names, identity numbers, and contact details, as well as indirect identifiers such as IP addresses, device identifiers, location data, and combinations of attributes that, together, make an individual uniquely identifiable.

The breadth of this definition reflects the practical reality of modern data environments where seemingly innocuous data points can be combined to identify individuals.

PII Principal

The PII principal is the natural person to whom PII relates - the individual whose privacy interests are protected by the framework. ISO/IEC 29100 uses PII principal rather than the more commonly used term "data subject" to maintain alignment with a broad range of privacy regulatory frameworks across different jurisdictions.

The PII principal is the central party whose interests the privacy principles are designed to protect.

Privacy Stakeholders

ISO/IEC 29100 identifies several categories of privacy stakeholder - parties who have interests in or obligations arising from PII processing. These include PII principals whose personal information is being processed, PII controllers who determine the purposes and means of PII processing, PII processors who process PII on behalf of controllers, third parties who receive PII from controllers or processors, privacy authorities who oversee compliance with privacy obligations, and information and communication technology providers who supply the systems and infrastructure used to process PII.

Privacy Safeguarding Requirements

Privacy safeguarding requirements are the conditions that must be met to adequately protect the privacy of PII principals. ISO/IEC 29100 identifies three categories: confidentiality - ensuring that PII is accessible only to authorized parties; integrity - ensuring that PII is accurate, complete, and not improperly modified; and availability - ensuring that legitimate access to PII is maintained while preventing unauthorized access or disclosure.

Practical Tip: Start by defining PII, privacy stakeholders, safeguarding requirements and processing roles before selecting privacy controls.


PII Controller and Processor Roles

  • PII Controller: A PII controller is the stakeholder who determines the purposes and means by which PII is processed - making the key decisions about what personal information is collected, why it is collected, how it is used, with whom it is shared, and how long it is retained. The PII controller bears primary accountability for compliance with privacy principles and regulatory obligations.

  • PII Processor: A PII processor is a party who processes PII on behalf of and under the instruction of a PII controller - not for their own purposes, but to provide a service to the controller. Cloud computing providers, payroll processors, email service providers, and analytics service providers are common examples of PII processors.

  • The Controller-Processor Distinction in Practice: The controller-processor distinction is not always straightforward - the same organization may be a controller for some PII processing activities and a processor for others, and the roles may be concurrent where multiple parties jointly determine processing purposes.

Privacy accountability becomes clearer when organizations know whether they decide the purpose of processing or process PII on another party’s instructions.


The 11 Privacy Principles

  1. Consent and Choice: PII should be processed only with the knowledge and freely given, specific, and informed consent of the PII principal - unless another lawful basis for processing is applicable. PII principals must have genuine choice about whether to consent to processing, and consent must be withdrawable without detriment.

  2. Purpose Legitimacy and Specification: The purposes for which PII is collected must be legitimate, specific, and disclosed to the PII principal at or before the time of collection. Processing must be limited to the specified purposes - secondary use of PII for purposes materially different from those disclosed requires a new legal basis and new disclosure to the PII principal.

  3. Collection Limitation: Only PII that is adequate, relevant, and limited to what is necessary for the specified purpose should be collected. The collection limitation principle directly addresses the tendency of organizations to collect more personal information than they need on the basis that it might be useful in the future - requiring instead that collection is proportionate to the defined processing purpose.

  4. Data Minimization: The data minimization principle extends collection limitation to cover the entire processing lifecycle - not only limiting initial collection but requiring that PII is minimized, aggregated, anonymized, or pseudonymized wherever it is technically feasible to achieve the processing purpose with less personal information.

  5. Use, Retention, and Disclosure Limitation: PII must be used, retained, and disclosed only in accordance with the specified purpose and any applicable consent. PII must not be retained longer than necessary for the purpose - retention periods must be defined and enforced - and disclosure to third parties must be governed by agreements that ensure the recipient processes PII only for purposes consistent with those for which it was originally collected.

  6. Accuracy and Quality: PII must be accurate, complete, and kept up to date to the extent necessary for the purposes for which it is processed. Organizations must implement processes to identify and correct inaccurate PII, and must provide PII principals with mechanisms to review, correct, and update their personal information.

  7. Openness, Transparency, and Notice: PII controllers must be transparent about their PII processing practices - providing PII principals with clear, accessible, and timely information about what personal information is collected, for what purposes, on what legal basis, with whom it is shared, and what rights the PII principal has.

  8. Individual Participation and Access: PII principals must be able to access their personal information held by a PII controller, verify its accuracy and completeness, and have inaccurate or incomplete information corrected. This principle encompasses the right of access - which requires organizations to have technically feasible mechanisms for responding to access requests - and the right to rectification.

  9. Accountability: PII controllers are accountable for compliance with the privacy principles - and must implement the policies, procedures, training, monitoring, and audit mechanisms needed to demonstrate that compliance. Accountability is both an internal governance requirement and an external obligation - regulators, customers, and partners may all require evidence of privacy governance effectiveness.

  10. Information Security: PII must be protected by technical and organizational security measures appropriate to the nature of the information and the risks associated with its processing - covering unauthorized access, disclosure, modification, or destruction.

  11. Privacy Compliance: PII controllers must ensure that their processing activities comply with all applicable privacy laws, regulations, and contractual obligations. This principle acknowledges that ISO/IEC 29100 operates alongside rather than in place of jurisdiction-specific privacy regulation - the framework's eleven principles provide the international conceptual foundation, while national and regional regulations provide the legally enforceable obligations.

Tip: Use the 11 privacy principles as a practical checklist for consent, purpose, minimization, transparency, security, accountability and compliance.


ISO 29100 vs GDPR

Dimension

ISO/IEC 29100

GDPR

Nature

International standard - voluntary adoption

European Union regulation - legally binding

Enforceability

No direct legal enforcement - framework for voluntary adoption

Directly enforceable with fines up to €20M or 4% of global annual turnover

Scope

Any organization processing PII globally

Any organization processing personal data of EU data subjects

Principles

11 privacy principles

7 principles (Article 5) + specific rights and obligations

Legal basis

Consent and choice as primary principle

6 lawful bases for processing - consent is one of six

Individual rights

Individual participation and access principle

Detailed rights framework - access, rectification, erasure, portability, objection

DPA requirement

Not required

Data Processing Agreements mandatory for controller-processor relationships

Accountability

One of 11 principles

Central compliance obligation - controllers must demonstrate compliance

Certification

No standalone certification

No direct GDPR certification - ISO 27701 provides complementary privacy ISMS

ISO/IEC 29100 provides the privacy framework, while GDPR creates legally binding obligations for organizations handling EU personal data.


Relation to ISO 27701

ISO/IEC 29100 provides the privacy principles and conceptual framework. ISO/IEC 27701 implements those principles in a certifiable management system - extending ISO/IEC 27001 to cover privacy information management by adding privacy-specific requirements and guidance to each clause of the ISMS standard and providing dedicated requirements for PII controllers and PII processors separately.

The role distinction of ISO/IEC 29100 - PII controller versus PII processor - maps directly to ISO/IEC 27701's controller-specific and processor-specific requirement annexes, which provide the detailed operational controls that implement the eleven privacy principles in practice.

For organizations building a privacy program, the practical relationship is: ISO/IEC 29100 provides the conceptual foundation and the principles that the program must implement - ISO/IEC 27701 provides the management system requirements and controls framework that operationalizes those principles within an auditable, certifiable governance structure - and ISO/IEC 27001 provides the underpinning information security management system on which the PIMS is built.

Practical Tip: Use ISO/IEC 29100 for privacy principles and ISO/IEC 27701 to turn those principles into a certifiable privacy information management system.


ISO 29100 Implementation Examples

  • Healthcare Provider: A hospital implementing ISO/IEC 29100 as the framework for its patient data privacy program maps each of the eleven principles to its existing patient data management policies.

    Consent and choice is implemented through a documented patient consent process covering each category of data processing - treatment, research, and administrative purposes - with separate consent for each. Purpose legitimacy and specification drives a formal review of all data uses to confirm that each processing activity has a defined, disclosed purpose.

  • Technology Company Processing User Data: A software-as-a-service provider implements ISO/IEC 29100 to govern its processing of user personal data - both as a controller for its direct user relationships and as a processor for its enterprise customers.

    As a controller, the company implements openness, transparency, and notice through a clearly written, accessible privacy notice covering all processing activities; individual participation and access through a self-service privacy portal enabling users to access, correct, and delete their data; and use, retention, and disclosure limitation through defined data retention schedules and a third-party data sharing register.

  • Financial Services Organization: A retail bank implementing ISO/IEC 29100 as the conceptual framework for its privacy program uses the eleven principles to structure a comprehensive privacy impact assessment methodology - applied to each new product, service, or system that involves PII processing.

    The information security principle drives alignment with the bank's existing ISO/IEC 27001 ISMS - ensuring that privacy control requirements identified through the ISO/IEC 29100 framework are implemented within the ISMS control set and subject to the same governance and audit oversight.

Writer’s view: Implementation examples are useful because privacy controls look different in healthcare, SaaS, banking and other PII-heavy environments.


ISO 29100 Certification Cost

For organizations pursuing ISO/IEC 27001 and ISO/IEC 27701 together as an integrated program, the combined audit investment reflects the number of employees in scope, the number of sites, the volume and sensitivity of PII processed, and the complexity of the controller-processor relationship portfolio.

The incremental audit effort for ISO/IEC 27701 over ISO/IEC 27001 primarily covers the privacy-specific requirements: privacy risk assessment, PII controller and processor-specific controls, consent management, individual rights procedures, and cross-border transfer governance.

Cost planning should consider PII processing scope, employee count, sites, ISO/IEC 27001 status, controller-processor roles and ISO/IEC 27701 audit needs.


ISO 29100 Certification Timeline

This reflects the significant documentation work required to implement the ISO/IEC 27701 controller and processor annexes - covering data mapping, processing purpose documentation, retention schedule development, third-party processor register, and individual rights workflow design - on top of the ISMS foundation.

Assigning a dedicated privacy program owner with both technical and legal privacy knowledge, completing the PII processing inventory and data flow mapping exercise before beginning PIMS documentation, and conducting a structured internal PIMS audit before the Stage 2 certification assessment are the most effective ways to keep the combined program on track.

A Practical Tip from Pacific Certifications: Organizations can avoid delays by completing PII inventory, data flow mapping, privacy risk assessment and internal PIMS audit early.


How Pacific Certifications Can Help?

Accredited by ABIS, Pacific Certifications conducts impartial, evidence-based audits against applicable ISO standards in full conformance with ISO/IEC 17021. Our services for organizations implementing privacy programs include:

  • Independent certification audits for ISO/IEC 27701, ISO/IEC 27001, ISO 9001, and ISO 22301

  • Integrated management system audits covering multiple standards in coordinated, efficient audit visits

  • Stage 1 and Stage 2 audit execution across technology, financial services, healthcare, and professional services organizations

  • Clear, transparent audit reports with conformity findings and certification decisions

  • Issuance of internationally recognized ISO certificates upon successful audit completion

  • Annual surveillance and triennial recertification audits to maintain certificate validity

Pacific Certifications does not provide consultancy - our role is strictly that of an independent auditor, ensuring your certificate carries full credibility with clients, regulators, data protection authorities, and enterprise procurement bodies in every jurisdiction you operate in.


Contact Us

To get started with your privacy certification program or initiate your audit, contact us at support@pacificcert.com or +91-8595603096.

For training programs, contact us at trainings@pacificcert.com.

Apply for ISO 29100 Privacy Framework
Strengthen privacy governance, improve personal data protection and build stakeholder trust by aligning your privacy controls with ISO 29100 principles.

Also read: ISO/IEC 27701 Certification in 2026

Pacific Certifications
ISO 29100: Privacy Framework - Data Protection Principles & Implementation

Frequently Asked Questions

What is ISO/IEC 29100 used for?
ISO/IEC 29100 provides a privacy framework for organizations that process personally identifiable information. It helps define privacy roles, principles, and safeguards for ICT systems and data processing activities.
Is ISO/IEC 29100 a certifiable standard?
No, ISO/IEC 29100 is not a standalone certifiable management system standard. Organizations usually use it as a privacy framework and pursue ISO/IEC 27701 certification when they need an auditable privacy management system.
Who should implement ISO/IEC 29100?
ISO/IEC 29100 is useful for any organization that collects, stores, uses, shares, or processes personal data. It applies to technology companies, healthcare providers, banks, public bodies, SaaS providers, and data processing service providers.
What does PII mean in ISO/IEC 29100?
PII means personally identifiable information, which is data that can identify, contact, or locate a person. This may include names, ID numbers, email addresses, IP addresses, device identifiers, or combined data points.
What are PII controllers and processors?
A PII controller decides why and how personal data is processed. A PII processor handles personal data on behalf of the controller, usually under instructions and contractual obligations.
What are the main ISO/IEC 29100 privacy principles?
The standard covers principles such as consent, purpose limitation, data minimization, transparency, individual access, accountability, information security, and privacy compliance. These principles guide responsible handling of personal information.
How does ISO/IEC 29100 relate to GDPR?
ISO/IEC 29100 is a voluntary international privacy framework, while GDPR is a legally binding regulation for EU personal data. ISO/IEC 29100 can help organizations structure privacy practices, but it does not replace legal compliance.
How is ISO/IEC 29100 different from ISO/IEC 27701?
ISO/IEC 29100 provides privacy concepts and principles. ISO/IEC 27701 turns those privacy principles into a certifiable privacy information management system built on ISO/IEC 27001.
How long does ISO/IEC 29100 implementation take?
Implementation time depends on data volume, processing complexity, existing controls, and regulatory exposure. A small organization may map the framework in a few weeks, while larger or regulated organizations may need several months.
What is the cost of ISO/IEC 29100 certification?
ISO/IEC 29100 has no standalone certification cost because it is not directly certifiable. Costs usually relate to privacy gap assessments, policy development, training, implementation work, and ISO/IEC 27701 certification if pursued.
Pacific Certifications

Pacific Certifications

Looking for ISO Certification? Get in touch now!

Pacific Certifications

Pacific Certifications is an independent, internationally recognized certification body providing third-party audit and certification services for management system standards such as ISO 9001, ISO 14001, ISO/IEC 27001, ISO 45001, and other ISO standards. We also provide product certification services and training and personnel certification programs designed to support organizational and professional competence.