September 26, 2022

Volume XII, Number 269


September 23, 2022

Subscribe to Latest Legal News and Analysis

Thinking Beyond the Law: What is the ISO 29100 Privacy Framework?

In 2011, the International Organization for Standards technical committee on Information Security, Cybersecurity and Privacy Protection developed a privacy framework that was intended to propose common privacy terminology, define the roles of different organizations with respect to privacy, and establish core privacy principles.1  The result was the publication on December 15, 2011, of the ISO/IEC 29100 Privacy Framework.  The framework was last reviewed and updated in 2018.

Thinking Beyond the Law: How Many Total Controls Are Included in The ISO 29100 Privacy Framework?

The ISO 29100 privacy framework does not include formal requirements that a company must follow, but it does provide bullet points under each of its proposed principles that discuss what it means to adhere to the principle and many organizations refer to those bullet points as proposed controls.  In total, the original version of the ISO 29100 framework proposed approximately 70 controls that fall under (or can be considered subcategories of) the following 11 principles:

1. Consent and choice

2. Purpose legitimacy and specification

3. Collection limitation

4. Data minimization

5. Use, retention and disclosure limitation

6. Accuracy and quality

7. Openness, transparency and notice

8. Individual participation and access

9. Accountability

10. Information security

11. Privacy compliance

Thinking beyond the law: How many principles are in the ISO 29100?

While the privacy framework does not propose formal requirements for each of the above principles, it does provide bullet points that discuss what it means to “adhere” to each principle.  Those bullet points can be viewed as controls that an organization might consider in relation to each principle.

1 ISO/IEC 29100:2011 Information technology – Security techniques – privacy framework available at (last checked Apr. 2, 2021)

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 113

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...