Following the first anniversary of the publication of ISO 27018 – a new international privacy standard governing the processing of personal data in the cloud, we look at how successful the new standard has been and the challenges customers and cloud providers are facing following its adoption.

First Cloud Privacy Standard

Last summer, the International Standards Organisation (ISO) and the International Electrotechnical Commission (IEC) published ISO 27018, the first privacy-specific international standard for cloud services. The new standard specifies the roles of a data controller and a data processor in maintaining the security and privacy of personally identifiable information (“PII”) stored in a public cloud environment. In contrast to existing information security standards that it builds on, such as ISO 27001 and ISO 27002, ISO 27018 is specifically tailored to cloud computing services.

What is ISO 27018?

The new standard sets out best practices for public cloud service providers. It establishes security guidelines to protect personal data and provides a privacy compliance framework that addresses the key obligations of a data processor under EU data protection laws (as implemented in Ireland through the Data Protection Acts 1988 and 2003).

Any organisation that processes PII through a cloud computing service under a contractual arrangement can be certified under ISO 27018 –  this means all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations, are eligible. To qualify for certification under ISO 27018, the applicant provider must agree to be audited by an accredited certification body and must also submit to periodic third party reviews.

Benefits to customers and suppliers

The standard has important practical benefits for business customers. In particular, the standard can be used as independent measure when evaluating and comparing privacy controls of potential public cloud service providers. Regulators are also using the standard as a checklist when assessing privacy protection both across borders and across differing industry sectors.

ISO 27018 also offers cloud service providers a way to differentiate their services from the competition. Already, one year after publication, it is common to see a customer tendering for cloud computing services to include ISO 27018 certification as a requirement (or at least a preferred answer) in a supplier’s tender response. Microsoft, one of the biggest cloud service providers in the world, was the first major supplier in the market to adopt the standard.  Other major players adopting the standard include Dropbox and CRM Online.

Summary of ISO 27018: Cloud computing privacy standard

Cloud service providers that adopt the standard agree to adhere to specific guidelines that can be roughly categorised as follows:

  1. Control and Consent: The overarching principle is that the customer is in control of their own data. The cloud supplier is only allowed to process PII in accordance with the customer’s instructions. PII can only be processed for marketing or advertising purposes with the customer’s express consent (and the cloud provider cannot make such consent a condition to receiving the cloud service).  
  2. Security: Adherence to ISO 27018 provides a number of important security safeguards for the customer. It defines restrictions on how providers may handle PII, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. The standard also requires providers to enter into confidentiality agreements with staff who have access to and process PII and provide appropriate staff training.  
  3. Breach notification & communication: Where a data breach occurs that results in the loss, disclosure or alteration of PII, ISO 27018 requires the provider to notify the customer of the breach and to keep clear records about the incident. The cloud provider is also required to assist customers in compliance with the customer’s own breach notification obligations (for example, to an end-user or a regulator) and to help them comply when individuals exercise their data access rights. From the cloud provider’s legal compliance perspective, the standard permits the provider to only disclose personal information to law enforcement authorities when legally bound to do so. Law enforcement requests for disclosure of PII must be disclosed to the customer.  
  4. Transparency: Prior to entering into a cloud computing services agreement, providers must disclose the names of any sub-processors and the possible locations where PII may be processed. The provider must be transparent about its policies regarding the return, transfer and deletion of PII that is stored in its data centres. This ensures that the customer knows what is happening to their data.  
  5. Independent Audit: This requirement ensures that regular reviews of information security and general compliance by the cloud service provider are obtained through a third party independent audit. Pragmatic cloud providers will see their selection of an independent auditor as a less onerous burden and an acceptable, lower-risk alternative to audits performed by individual customers.

There are also several unusual requirements that a cloud service provider must meet under the new standard. For example, there are a number of references to both physical storage media and hard-copy materials, which seem somewhat out of place in a list of requirements for online cloud services.

Challenges

From a cloud provider’s perspective, the most challenging of the new guidelines has been scrubbing previous customer data for a new customer using the same space. The other main challenge has been documenting where PII is stored. However, as many customers now place transparency at the top of their ‘shopping list’ of requirements for a cloud provider, this sort of secure data deletion and record keeping is slowly becoming the norm that all cloud service providers will have to demonstrate to stay competitive in the market.

Summary – Trust and Privacy Differentiator

In the cloud computing industry, where security and compliance are so important to customers, ISO 27018 has the potential to become a true privacy differentiator. Although the International Standards Organisation has no power to enforce the implementation of the standard, the value in ISO 27018 for customers is that it allows them to independently evaluate the suitability of a cloud service provider. It also provides a single standardised set of privacy controls that integrate with a security framework that many organisations are already using.

From a cloud provider’s point of view, certification under the standard can be used as a point of differentiation from competitors, allowing a provider to market its services as complying with an internationally recognised cloud privacy standard. This will in turn provide greater customer confidence as to the reliability and security of the cloud providers services and, perhaps most importantly, promote trust.

Caitríona Nic Bhloscaidh