ISO 27018 – a new cloud privacy standard

The International Standards Organisation (ISO) published a new voluntary standard ISO 27018 in late 2014, covering the processing of personal data in the cloud.

WHAT IS IT?

ISO 27018 is the first privacy-specific international standard for the cloud, which provides guidance aimed at ensuring cloud service providers offer suitable information security controls to protect the personal data and privacy of their customers by securing PII (Personally Identifiable Information) entrusted by them.

This new standard provides a useful privacy compliance framework for cloud service providers that addresses key data processor obligations under EU data protection laws.

It seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (such as marketing and advertising) without appropriate consent. Cloud service providers must disclose information to law enforcement authorities and/or regulatory bodies if they are legally bound to do so.

WHY IS IT BEING INTRODUCED?

This standard is primarily targeted at public cloud service providers and seeks to create a common set of security controls that can be implemented by a public cloud computing service provider acting as a data processor.

It aims to create a standard way for cloud service providers to be transparent about their privacy practices and to give clear guidance in order to meet some of the legal and regulatory concerns of customers.

ISO 27018 is applicable to all sizes and types of businesses which provide information processing services such as PII processors via cloud computing. It should enhance overall confidence for cloud users as their service provider will be well-placed to keep data private and secure.

THE DETAIL

This new standard is based on current EU data protection law and many of the requirements reflect the existing duties of data controllers and data processors. ISO 27018 requires cloud providers to:

• Only process personal information in accordance with the customer’s instruction and have a transparent policy on the return, transfer and deletion of personal information stored.
• Only process a customer’s personal information for marketing or advertising purposes with that customer’s consent.
• Help cloud service providers that process PII to address applicable legal obligations as well as customer expectations.
• Enable transparency so customers can choose well-governed cloud services.
• Disclose information to law enforcement authorities and/or regulatory bodies if they are legally bound to do so.

WHAT DOES THIS MEAN FOR YOUR BUSINESS?

If your business currently already use cloud services, engage with your provider to check that it is verified as ISO 27018 compliant or is working towards compliance.

WHAT DOES THE PROVIDER’S AGREEMENT SAY ABOUT COMPLIANCE WITH CLOUD STANDARDS?

At Mincoffs Solicitors we see this new standard being used to positive commercial effect in the industry by helping to move opportunities through the sales pipeline as follows:

It will allow customers to find a cloud service provider that will demonstrably meet all legal obligations. In the buying process, ISO 27018 can be used by the customer to get buy-in from other key stakeholders within their business and to allay any concerns of those stakeholders.

Likewise, from the perspective of a provider selling its services, that provider will be able to use its compliance with the standard as a USP against non-compliant competitors and as a tangible demonstration of its commitment to fulfill its obligations in relation to the security and privacy of business and customer data.

For further advice on this or any technology law-related matter, please contact Antony Hall, Partner and Head of Commercial at Mincoffs Solicitors on 0191 281 6151 or email ahall@mincoffs.co.uk.