Following the first anniversary of the publication of ISO 27018 – an international privacy standard governing the processing of personal data in the cloud — Mason Hayes & Curran looks at how successful the new standard has been and the challenges customers and cloud providers are facing following its adoption.
Last summer, the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC) published ISO 27018, the first privacy-specific international standard for cloud services.
The new standard specifies the roles of a data controller and a data processor in maintaining the security and privacy of personally identifiable information (PII) stored in a public cloud environment.
In contrast to existing information security standards that it builds on (such as ISO 27001 and ISO 27002), ISO 27018 is specifically tailored to cloud computing services.
ISO 27018: the first cloud privacy standard
ISO 27018 sets out best practices for public cloud service providers. It establishes security guidelines to protect personal data and provides a privacy compliance framework that addresses the key obligations of a data processor under EU data protection laws (as implemented in Ireland through the Data Protection Acts 1988 and 2003).
Any organisation that processes PII through a cloud computing service under a contractual arrangement can be certified under ISO 27018. All types and sizes of organisations – including public and private companies, government entities and not-for-profit organisations – are eligible.
‘ISO 27018 offers cloud service providers a way to differentiate their services from the competition’
To qualify for certification under ISO 27018, the applicant provider must agree to be audited by an accredited certification body and must also submit to periodic third-party reviews.
Benefits of ISO 27018
The one-year-old standard has important practical benefits for business customers. In particular, ISO 27018 can be used as an independent measure when evaluating and comparing privacy controls of potential public cloud service providers. Regulators are also using the standard as a checklist when assessing privacy protection, both across borders and across differing industry sectors.
ISO 27018 also offers cloud service providers a way to differentiate their services from the competition. Already, one year after publication, it is common to see a customer tendering for cloud computing services including ISO 27018 certification as a requirement (or at least a preferred answer) in a supplier’s tender response.
Microsoft, one of the biggest cloud service providers in the world, was the first major supplier in the market to adopt the standard. Other major players adopting the standard include Dropbox and CRM Online.
5 key guidelines from ISO 27018
Cloud service providers that adopt the standard agree to adhere to specific guidelines that can be roughly categorised as follows:
- Control and consent
The overarching principle is that the customer is in control of their own data. The cloud supplier is only allowed to process PII in accordance with the customer’s instructions. PII can only be processed for marketing or advertising purposes with the customer’s express consent, and the cloud provider cannot make such consent a condition to receiving the cloud service.
Adherence to ISO 27018 provides a number of important security safeguards for the customer. It defines restrictions on how providers may handle PII, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.
The standard also requires providers to enter into confidentiality agreements with staff who have access to and process PII, and to provide appropriate staff training.
- Breach notification and communication
Where a data breach occurs that results in the loss, disclosure or alteration of PII, ISO 27018 requires the provider to notify the customer of the breach and to keep clear records about the incident. The cloud provider is also required to assist customers in compliance with the customer’s own breach notification obligations (for example, to an end user or a regulator) and to help them comply when individuals exercise their data access rights.
From the cloud provider’s legal compliance perspective, the standard permits the provider to only disclose personal information to law enforcement authorities when legally bound to do so. Law enforcement requests for disclosure of PII must be disclosed to the customer.
Prior to entering into a cloud computing services agreement, providers must disclose the names of any sub-processors and the possible locations where PII may be processed. The provider must be transparent about its policies regarding the return, transfer and deletion of PII that is stored in its data centres. This ensures that the customer knows what is happening to their data.
- Independent audit
This requirement ensures that regular reviews of information security and general compliance by the cloud service provider are obtained through a third-party independent audit. Pragmatic cloud providers will see their selection of an independent auditor as a less onerous burden and an acceptable lower-risk alternative to audits performed by individual customers.
Challenges for cloud service providers
There are also several unusual requirements that a cloud service provider must meet under the new standard. For example, there are a number of references to both physical storage media and hard-copy materials, which seem somewhat out of place in a list of requirements for online cloud services.
From a cloud provider’s perspective, the most challenging of the new guidelines has been scrubbing previous customer data for a new customer using the same space. The other main challenge has been documenting where PII is stored.
‘This sort of secure data deletion and record-keeping is slowly becoming the norm that all cloud service providers will have to demonstrate to stay competitive in the market’
However, as many customers now place transparency at the top of their ‘shopping list’ of requirements for a cloud provider, this sort of secure data deletion and record-keeping is slowly becoming the norm that all cloud service providers will have to demonstrate to stay competitive in the market.
Trust and privacy differentiator
In the cloud computing industry, where security and compliance are so important to customers, ISO 27018 has the potential to become a true privacy differentiator.
Although ISO has no power to enforce the implementation of the standard, the value in ISO 27018 for customers is that it allows them to independently evaluate the suitability of a cloud service provider. It also provides a single standardised set of privacy controls, which integrate with a security framework that many organisations are already using.
From a cloud provider’s point of view, certification under the standard can be used as a point of differentiation from competitors, allowing a provider to market its services as complying with an internationally recognised cloud privacy standard. This will, in turn, provide greater customer confidence as to the reliability and security of the cloud provider’s services and, perhaps most importantly, promote trust.