PII Control Assessment Worksheet

This comprehensive assessment helps you evaluate your organization's implementation of ISO 27018 PII controls. Use this as a self-assessment tool, gap analysis guide, or pre-audit checklist.

How to Use This Assessment

Rating Scale:

• 5 - Fully Implemented: Control fully operational with evidence
• 4 - Mostly Implemented: Control operational, minor gaps
• 3 - Partially Implemented: Control exists but significant gaps
• 2 - Minimal Implementation: Control documented but not operational
• 1 - Not Implemented: Control does not exist
• N/A: Control not applicable to your organization

For Each Control:

1. Rate current implementation (1-5 or N/A)
2. Document evidence of implementation
3. Identify gaps and risks
4. Define remediation actions
5. Assign responsibility and target date

SECTION 1: CONSENT AND CHOICE CONTROLS

Control 1.1: Consent Management

Requirement: Obtain and manage valid consent for PII processing

Assessment Questions:

• Do you have a documented consent management process?
• Is consent freely given, specific, informed, and unambiguous?
• Can data subjects easily withdraw consent?
• Do you maintain records of all consents with timestamps?
• Is consent separated from other terms and conditions?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Evidence:

Examples:
- Consent management system documentation
- Sample consent forms
- Consent database schema
- Withdrawal process flowchart
- Audit logs of consent changes

Your Evidence:
_________________________________________________________
_________________________________________________________
_________________________________________________________

Gaps Identified:

_________________________________________________________
_________________________________________________________

Remediation Actions:

Control 1.2: Marketing Without Consent

Requirement: Do not use customer PII for marketing without explicit consent

Assessment Questions:

• Do you have a policy prohibiting use of customer PII for your own marketing?
• Are technical controls in place to prevent unauthorized marketing use?
• Is explicit opt-in required for all marketing communications?
• Can data subjects opt out easily (same effort as opting in)?
• Do you audit marketing list sources regularly?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Evidence:

Your Evidence:
_________________________________________________________
_________________________________________________________

Gaps & Remediation:

_________________________________________________________

Control 1.3: Consent Withdrawal

Requirement: Enable easy withdrawal of consent

Assessment Questions:

• Is consent withdrawal mechanism as easy as giving consent?
• Is withdrawal processed automatically?
• Do you stop processing immediately upon withdrawal?
• Is withdrawal confirmation sent to data subject?
• Do you maintain audit trail of withdrawals?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SECTION 2: PURPOSE LEGITIMACY AND SPECIFICATION

Control 2.1: Purpose Documentation

Requirement: Document all PII processing purposes

Assessment Questions:

• Have you documented all purposes for PII processing?
• Is each purpose specific, explicit, and legitimate?
• Do you maintain a data processing register/inventory?
• Is legal basis identified for each purpose?
• Are purposes communicated to data subjects?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Evidence Required:

• Data processing register (ROPA - Record of Processing Activities)
• Privacy policy stating all purposes
• Legal basis assessment for each purpose
• Purpose communication examples

Your Evidence:

_________________________________________________________

Control 2.2: Purpose Limitation

Requirement: Use PII only for documented purposes

Assessment Questions:

• Do you have technical controls preventing use beyond stated purposes?
• Are access controls based on processing purposes?
• Do you audit actual vs. stated purposes regularly?
• Is new consent obtained for new purposes?
• Do you have change management for purpose changes?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 2.3: Purpose Review

Requirement: Regularly review processing purposes

Assessment Questions:

• Do you review purposes at least annually?
• Are purposes updated when services change?
• Do you remove purposes no longer relevant?
• Are customers notified of material purpose changes?
• Is purpose review documented?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SECTION 3: COLLECTION LIMITATION

Control 3.1: Necessity Assessment

Requirement: Collect only necessary PII

Assessment Questions:

• Have you justified necessity for each PII field collected?
• Do you distinguish required vs. optional fields?
• Have you considered less invasive alternatives?
• Do you use progressive collection (collect when needed)?
• Do you regularly review collection forms to minimize fields?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Collection Inventory:

PII Field | Necessary? | Purpose | Alternatives Considered | Decision
----------------------------------------------------------------------
Email     | Yes        | Auth    | Anonymous accounts      | Required
Phone     | No         | 2FA     | Authenticator app       | Optional
...

Control 3.2: Minimal Collection Forms

Requirement: Design forms to minimize PII collection

Assessment Questions:

• Are all required fields actually necessary?
• Do you explain why each optional field is requested?
• Are sensitive fields avoided unless absolutely necessary?
• Do you avoid collecting special category data unnecessarily?
• Are default values used to reduce input when possible?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SECTION 4: DATA MINIMIZATION

Control 4.1: Anonymization

Requirement: Use anonymized data where possible

Assessment Questions:

• Do you use anonymized data for analytics?
• Is anonymization irreversible (cannot re-identify)?
• Do you have documented anonymization procedures?
• Are anonymized datasets segregated from PII?
• Do you verify anonymization effectiveness?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Anonymization Methods Used:

• Data aggregation
• K-anonymity
• Differential privacy
• Generalization
• Data suppression
• Other: ______________

Control 4.2: Pseudonymization

Requirement: Use pseudonyms instead of identifiers where possible

Assessment Questions:

• Do you pseudonymize PII in non-essential systems?
• Are pseudonymization keys securely managed?
• Is re-identification controlled and audited?
• Do you use pseudonyms in logs and reports?
• Are pseudonymization methods documented?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 4.3: Data Masking

Requirement: Mask PII in non-essential contexts

Assessment Questions:

• Do you mask PII in customer-facing interfaces?
• Are PII fields masked in logs?
• Do customer service tools show only necessary PII?
• Are masking standards defined and consistent?
• Is unmasking controlled and audited?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 4.4: Storage Minimization

Requirement: Minimize PII copies and replicas

Assessment Questions:

• Do you maintain single source of truth for PII?
• Are PII copies/replicas minimized?
• Do you use anonymized data for development/testing?
• Is PII segregated from operational data?
• Do you track all locations where PII is stored?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

PII Storage Inventory:

System/Database | PII Categories | Necessity | Minimization Applied
------------------------------------------------------------------
Production DB   | Full           | Required  | Encryption
Analytics DB    | None           | N/A       | Anonymized feed
Test DB         | None           | N/A       | Synthetic data
...

SECTION 5: USE, RETENTION & DISCLOSURE LIMITATION

Control 5.1: Use Limitation

Requirement: Use PII only for specified purposes

Assessment Questions:

• Are access controls based on processing purposes?
• Do you audit PII access and use?
• Is unauthorized use technically prevented?
• Do you have policies against unauthorized use?
• Are employees trained on proper PII use?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 5.2: Retention Schedule

Requirement: Define and enforce retention periods

Assessment Questions:

• Have you defined retention periods for all PII categories?
• Are retention periods documented and justified?
• Is retention schedule published and accessible?
• Do you review retention periods annually?
• Are legal hold procedures defined?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Retention Schedule:

PII Category | Retention Period | Justification | Automated Deletion
-----------------------------------------------------------------
Account data | Active + 30 days | Business need | ☐ Yes ☐ No
Billing      | 7 years          | Legal req.    | ☐ Yes ☐ No
Support      | 3 years          | Quality       | ☐ Yes ☐ No
...

Control 5.3: Automated Deletion

Requirement: Implement automated PII deletion

Assessment Questions:

• Is PII deletion automated (not manual)?
• Does deletion run regularly (daily/weekly)?
• Do you verify deletion effectiveness?
• Is deletion audited and logged?
• Are backups included in deletion process?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 5.4: Sub-processor Management

Requirement: Control and document PII disclosure to sub-processors

Assessment Questions:

• Do you maintain current sub-processor registry?
• Is sub-processor list publicly available?
• Do you notify customers 30 days before new sub-processors?
• Do customers have right to object to sub-processors?
• Are sub-processors contractually bound to equivalent protections?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Sub-processor Registry:

Sub-processor | Service | PII Access | Location | Last Audit | Certifications
-----------------------------------------------------------------------------
...

Control 5.5: Disclosure Logging

Requirement: Log and audit all PII disclosures

Assessment Questions:

• Do you log all PII disclosures to third parties?
• Are government requests logged and tracked?
• Do you publish transparency reports?
• Is disclosure logging automated?
• Can you produce disclosure reports on request?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 5.6: Cross-Border Transfers

Requirement: Control and document international PII transfers

Assessment Questions:

• Have you identified all cross-border transfers?
• Do you use approved transfer mechanisms (SCCs, BCRs, etc.)?
• Are transfer safeguards documented?
• Do customers approve international transfers?
• Have you conducted Transfer Impact Assessments?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SECTION 6: TRANSPARENCY AND NOTICE

Control 6.1: Privacy Policy

Requirement: Maintain comprehensive, accessible privacy policy

Assessment Questions:

• Do you have a current, comprehensive privacy policy?
• Is policy easily accessible (prominent link)?
• Does policy cover all PII processing activities?
• Is policy written in plain language?
• Do you notify users of material changes?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 6.2: Transparency Reports

Requirement: Provide transparency about data practices

Assessment Questions:

• Do you publish regular transparency reports?
• Do reports include government request statistics?
• Do reports disclose security incidents?
• Do reports list sub-processors?
• Are reports publicly accessible?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SECTION 7: DATA SUBJECT RIGHTS

Control 7.1: Right to Access

Requirement: Enable data subjects to access their PII

Assessment Questions:

• Can data subjects request copies of their PII?
• Do you respond within 30 days?
• Is PII provided in structured, readable format?
• Do you verify identity before disclosure?
• Is access process documented and easy to use?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 7.2: Right to Correction

Requirement: Enable correction of inaccurate PII

Assessment Questions:

• Can data subjects request corrections?
• Are corrections processed within 30 days?
• Do you verify accuracy before making corrections?
• Are corrections propagated to all systems?
• Is correction process documented?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 7.3: Right to Deletion

Requirement: Enable data subjects to request deletion

Assessment Questions:

• Can data subjects request deletion (right to be forgotten)?
• Is deletion completed within 30 days?
• Is deletion verified and certified?
• Are all copies (including backups) deleted?
• Do you notify sub-processors to delete?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

Control 7.4: Right to Data Portability

Requirement: Enable data subjects to receive and transfer their PII

Assessment Questions:

• Can data subjects export their PII?
• Is PII provided in machine-readable format (JSON, CSV)?
• Is export complete and includes all PII?
• Can export be transferred to another service?
• Is export process automated and self-service?

Rating: ☐ 1 ☐ 2 ☐ 3 ☐ 4 ☐ 5 ☐ N/A

SCORING AND GAP ANALYSIS

Calculate Your Scores

By Section:

Section 1 (Consent): _____ / 15 (3 controls × 5 points)
Section 2 (Purpose): _____ / 15 (3 controls × 5 points)
Section 3 (Collection): _____ / 10 (2 controls × 5 points)
Section 4 (Minimization): _____ / 20 (4 controls × 5 points)
Section 5 (Use/Retention/Disclosure): _____ / 30 (6 controls × 5 points)
Section 6 (Transparency): _____ / 10 (2 controls × 5 points)
Section 7 (Rights): _____ / 20 (4 controls × 5 points)

TOTAL SCORE: _____ / 120 points

Maturity Level

Based on Total Score:

• 100-120 (83-100%): Advanced - Ready for certification
• 80-99 (67-82%): Intermediate - Minor gaps to address
• 60-79 (50-66%): Developing - Significant work needed
• 40-59 (33-49%): Initial - Major implementation required
• 0-39 (<33%): Non-compliant - Comprehensive program needed

Your Maturity Level: _______________

Priority Gap Analysis

Critical Gaps (Score 1-2):

Control | Current Score | Risk | Priority | Target Date
--------------------------------------------------------
...

Important Gaps (Score 3):

Control | Current Score | Improvement Needed | Target Date
-----------------------------------------------------------
...

ACTION PLAN TEMPLATE

30-Day Quick Wins

90-Day Improvements

6-Month Strategic Initiatives

Resource Requirements

Budget: $ _______________ Personnel: _______________ Tools/Systems: _______________ Training: _______________

Success Metrics

• Target certification date: _______________
• Interim assessment date: _______________
• Budget allocated: $ _______________
• Team members assigned: _______________

NEXT STEPS

After completing this assessment:

1. Review with Leadership

   • Present findings to executive team
   • Secure budget and resources
   • Establish accountability

2. Create Detailed Remediation Plan

   • Prioritize critical gaps
   • Assign ownership
   • Set realistic timelines

3. Implement Controls

   • Start with quick wins
   • Build momentum with visible progress
   • Track implementation progress

4. Validate Implementation

   • Internal audit of controls
   • Test effectiveness
   • Gather evidence

5. Prepare for Certification

   • Engage certification body
   • Schedule pre-assessment
   • Address any findings

6. Maintain and Improve

   • Schedule regular assessments (quarterly)
   • Continuous improvement mindset
   • Stay current with standard updates

ASSESSMENT SIGN-OFF

Completed By: _______________ Date: _______________ Role: _______________

Reviewed By: _______________ Date: _______________ Role: _______________

Approved By: _______________ Date: _______________ Role: _______________

Next Assessment Due: _______________

Congratulations!

You've completed Module 2: PII Control Categories. You now understand the key privacy controls required by ISO 27018 and have assessed your organization's readiness.

Module 2 Summary:

• Consent and choice controls
• Purpose legitimacy and specification
• Collection limitation principles
• Data minimization techniques
• Use, retention, and disclosure controls
• Privacy policy development
• Control assessment and gap analysis

Next Module: Technical Implementation - Learn how to implement cloud privacy controls with technical safeguards, encryption, access controls, and secure data deletion.