What does control A.1.4.6 require?
The organisation shall either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the original PII is no longer necessary for the identified purpose(s).
This control sits within the PII minimization objective (A.1.4) and represents the end-of-lifecycle obligation. Once the purpose for collecting and processing PII has been fulfilled and no legal retention requirement exists, the data should not persist in identifiable form. This control works in tandem with A.1.4.8 (retention) and A.1.4.9 (disposal) to ensure PII does not outlive its purpose.
What does the implementation guidance say?
Annex B (section B.1.4.6) provides the following guidance:
- Define triggers for action — Identify the events that should trigger de-identification or deletion, including: purpose fulfilled, consent withdrawn, retention period expired, or PII principal request
- Ensure robust de-identification — Where de-identification is chosen over deletion, the methods used must be resistant to re-identification. Simple removal of names may not be sufficient if other data points allow identification through combination
- Document the process — The procedures for de-identification and deletion should be documented, including the methods used, the triggers applied and the verification steps
- Verify effectiveness — After de-identification or deletion, the organisation should verify that the action was effective and that PII cannot be recovered or re-identified
- Reference ISO/IEC 20889 — The guidance specifically references ISO/IEC 20889 (Privacy enhancing data de-identification techniques) as a source of de-identification methods
- See also A.1.4.3: Limit Processing for related requirements
- See also A.1.4.4: Accuracy and Quality for related requirements
The two options (deletion or de-identification) give organisations flexibility. Where the underlying data has analytical value but the individuals no longer need to be identifiable, de-identification allows continued use. Where no further use exists, deletion is the cleaner approach.
How does this map to GDPR?
Control A.1.4.6 maps to several GDPR provisions:
- Article 5(1)(c) — Data minimisation principle
- Article 5(1)(e) — Storage limitation: data should be kept in identifiable form only as long as necessary
- Article 6(4)(e) — Considers the existence of appropriate safeguards, which may include encryption or pseudonymisation, when assessing compatibility of further processing
- Article 11(1) — Where purposes no longer require identification, the controller is not obliged to maintain identifying data
- Article 32(1)(a) — Pseudonymisation and encryption as appropriate technical measures
For the full GDPR-to-ISO 27701 mapping, see GDPR Compliance Guide.
How does this relate to ISO 29100 privacy principles?
This control supports two ISO 29100 principles:
- Data minimization — De-identification reduces PII to the minimum identifiable form needed
- Use, retention and disclosure limitation — Deletion or de-identification at end of processing directly enforces retention limits
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What evidence do auditors expect?
When assessing compliance with A.1.4.6, auditors will typically look for:
- De-identification and deletion procedures — Documented procedures specifying the methods used, who is responsible and how effectiveness is verified
- Trigger definitions — Clear documentation of what events trigger de-identification or deletion for each category of PII
- Execution records — Logs or records showing that de-identification and deletion activities have been carried out as scheduled
- Effectiveness testing — Evidence that de-identification has been tested for re-identification resistance, particularly for higher-risk data sets
- Technical method documentation — Description of the specific de-identification techniques used (k-anonymity, differential privacy, tokenisation, etc.) and why they were selected
- Exception handling — Documentation of any cases where PII was retained beyond the original purpose, with justification (e.g. legal hold, regulatory retention requirement)
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.4.5 PII minimization objectives | De-identification is a key mechanism within the minimisation strategy |
| A.1.4.8 Retention | Retention periods define when de-identification or deletion should be triggered |
| A.1.4.9 Disposal | Disposal procedures complement deletion procedures for physical media |
| A.1.4.7 Temporary files | Temporary files containing PII must also be subject to deletion |
| A.1.4.2 Limit collection | Less collection means less data requiring end-of-life treatment |
| A.1.2.2 Identify and document purpose | Purpose documentation defines when PII is “no longer necessary” |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, de-identification and deletion was addressed under Clause 7.4.5 (PII de-identification and deletion at the end of processing). The 2025 control is substantively the same, with the same two options (delete or de-identify). The implementation guidance now includes a more explicit reference to ISO/IEC 20889 for de-identification techniques and places greater emphasis on verifying the effectiveness of de-identification. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII de-identification and deletion?
ISMS.online provides the tools to manage the end-of-lifecycle obligations that auditors examine closely:
- Retention trigger management — Define triggers for de-identification and deletion linked to processing purposes, with automated alerts when triggers are reached
- Disposal and de-identification logs — Record every de-identification and deletion action with timestamps, methods used and verification outcomes
- Technique documentation — Document the de-identification methods applied to each data category, with rationale for technique selection
- Exception tracking — Log and justify any cases where PII is retained beyond its original purpose, ensuring legal holds and regulatory requirements are properly documented
- Compliance reporting — Generate end-of-lifecycle reports showing that de-identification and deletion obligations are being met across all PII categories
FAQs
When should you choose de-identification over deletion?
De-identification is appropriate when the underlying data has value for secondary purposes (such as statistical analysis, research or trend reporting) but the individuals no longer need to be identifiable. Deletion is appropriate when no further use for the data exists. The choice should be documented and the de-identification method must be robust enough to prevent re-identification, particularly given the sensitivity of the data.
How do you verify that de-identification is effective?
Verification involves testing whether the de-identified data set can be re-linked to individuals using the data itself or in combination with other available data sources. Techniques include motivated intruder testing, k-anonymity assessment and reviewing whether quasi-identifiers (such as date of birth combined with postcode) could enable re-identification. ISO/IEC 20889 provides detailed guidance on de-identification techniques and their evaluation.
What about PII in backups after the original data is deleted?
PII in backups remains within scope. Organisations should have a strategy for addressing PII in backups, which may include: encrypting backups so that deleted data cannot be accessed even if it persists; applying retention policies to backup cycles so that old backups are overwritten; or accepting and documenting the residual risk of PII in backups with appropriate access controls. The chosen approach should be documented and defensible.
