Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

ISO Adopts New Cloud Privacy Standard

November 4, 2014

This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud — ISO 27018.  It didn't get a lot of press – I certainly missed it. The new cloud standard provides a privacy compliance framework for cloud services providers.

ISO 27018 is the first privacy-specific international standard for the cloud. It seeks to address such issues as keeping customer information secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here).

InsidePrivacy writes that the standard requires cloud providers to, among other things:

  • Always process personal information in accordance with the customer’s instructions.
  • Only process personal information for marketing or advertising purposes with the customer’s express consent.  Such consent cannot be made a condition for receiving the service.
  • Help cloud customers comply when individuals assert their access rights.
  • Disclose information to law enforcement authorities only when legally bound to do so.
  • Disclose the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud services contract.
  • Help cloud customers comply with their notification obligations in the event of a data breach.
  • Implement a policy for the return, transfer or disposal of personal data, for instance when the service comes to an end.
  • Subject their services to independent information security reviews at scheduled intervals (or when significant processing changes occur).
  • Enter into confidentiality agreements with staff who have access to personal data and provide appropriate staff training.  

In order to be certified under ISO 27018, a cloud service must undergo an audit by an accredited certification body. Prospective cloud customers can verify a provider’s compliance with the standard via the provider’s certificate of conformity. To maintain its certification, a cloud services provider must subject itself to periodic third-party reviews.

Major cloud players in the United States and Europe have announced plans to certify their key cloud services. Will others will follow in their steps and make ISO 27018 a true privacy differentiator in the cloud space? If customers starting gravitating to cloud services that are certified, I think the answer is yes.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq