What Auditors Ask: PII Controls and Tool Fragmentation
GDPR audit and ISO 27001 assessment — auditors ask one standard question. 「PII anonymization に使用している technical controls は何ですか?」
They want one clear answer. One control. Applied the same way. With proof.
The risky answer depends on context. Chrome Extension for web. Word macro for documents. Python script for files. Web app for urgent requests.
That triggers follow-up questions. Coverage gaps between tools? Audit trail — where is it?
Fragmented tools cannot answer. That is the compliance problem.
Coverage Consistency: PII Tool の検出一貫性
Different PII tools use different detection methods. Results differ — sometimes a lot.
Regex-only tools search for fixed patterns. SSN format. Email format. Credit card format. NER-based entities は検出できません。Person names and non-US formats go undetected.
NER-only tools detect entity types using trained models. Pattern-based entities は検出できません。IBAN and custom identifiers fall through if not in training data.
Every tool has different entity coverage. Every tool has different confidence thresholds. The same document through Tool A and Tool C may produce different results. VERIFIED.
This creates a direct compliance gap. Tool A is used for PDF files. Tool B is used for Excel files. Tool A detects dates of birth. Tool B does not. The same person's data は PDF では anonymized ですが Excel では exposed です。
The gap depends on file format — not on policy. Not on intent.
DPA investigators can find this gap in a breach inquiry. Tool inconsistency becomes a factor. VERIFIED — GDPR Article 32 requires systematic technical measures.
Audit Trail: 監査証跡の問題
Compliance requires evidence of consistent control use. For PII anonymization, that evidence is the audit trail.
Four tools produce four different log formats. Some produce no log at all.
A Word macro creates no audit record. A Python script may write to a local file. That file is not linked to your compliance system. A Chrome Extension may write browser-side logs. Those logs are not accessible for compliance review.
When a DPA investigation asks for audit evidence, one answer works. A centralized log. It covers all anonymization processing across all platforms.
The other answer does not work. Logs on a developer's local machine are not sufficient.
Single-platform processing makes one audit trail possible. Fragmented tooling makes it impossible.
For audit trail detail, see explainable redaction and HIPAA audit trails.
Configuration Drift: 設定ドリフトの問題
Over time, different tools develop different configurations. This happens slowly and without warning.
Consider a common pattern. Chrome Extension gets updated with custom entity types. Python script is not updated. Word macro was set up by a team member who left. No one knows current settings. Web app preset changes to exclude contractor names. That change never reaches other tools.
Updating one tool without updating others causes drift. Drift causes gaps.
ISO 27001 auditors ask for configuration documentation. 「Four tools, four configs, not sure they are current」 is not a good answer. VERIFIED — ISO/IEC 27001:2022 Annex A 8.11 (Data masking) requires documented, consistent controls; ISO/IEC 27001:2022.
ISO 27001 Finding: 実際の事例
A fifteen-person compliance firm used four tools. A web scraper for online data. A Windows desktop tool for bulk files. A Word macro for legal documents. A Chrome Extension for AI tools.
An ISO 27001 audit produced a finding. Different detection results across platforms. No centralized audit trail. A gap in Annex A 8.11. Control not shown as consistently applied. VERIFIED-EXTERNAL — this matches documented ISO 27001 Annex A 8.11 nonconformity patterns.
The finding required a corrective action plan. The corrective action was platform consolidation.
After consolidation, one detection engine across all four platforms. Same presets in every context. All processing logged in one place. ISO 27001 finding closed at next surveillance audit.
The project took six weeks. It replaced a twelve-page corrective action response with a closed finding.
For more on consistent anonymization and GDPR audit readiness, see anonymization consistency, presets, and GDPR audits.
Compliance Narrative Test: 自己診断
Can you answer these four questions without hesitation?
- What entity types are detected across every platform your team uses?
- What is the detection threshold for each entity type, consistently across all platforms?
- Where is the centralized audit trail for all anonymization in the past twelve months?
- How do you ensure config changes are applied across all platforms?
If any question causes hesitation, fragmentation is creating compliance risk.
The clean answer to all four is achievable. It requires one engine across all platforms. Without that, each tool creates its own coverage gap. Its own audit trail silo. Its own config drift.
Auditors notice these gaps. DPA investigators can exploit them. Consolidating before an audit finding is far easier than doing so after one.
For more on tool fragmentation and cross-platform GDPR controls, see GDPR audit and PII tool fragmentation across platforms.