ISO 27018 – the code of practice for the protection of PII (Personally Identifiable Information) in public clouds

ISO 27018 – the code of practice for the protection of PII (Personally Identifiable Information) in public clouds

In August 2014, ISO and IEC published ISO 27018, a new standard, as a code of practice for the protection of PII in public clouds. ISO 27018 is a voluntary standard which is expected to strengthen confidence of customers and regulators with respect to PII processing in the cloud.

Its novelty is that it is a cloud-specific standard advancing the standards already used by the cloud computing industry, i.e. ISO/IEC 27001 and ISO/IEC 27002, and addresses data protection concerns such as consent, purpose legitimacy and specification, data minimization, data use, data retention and disclosure limitation, openness, transparency and notice, accountability, information security and privacy compliance. The new standard is applicable to all types and sizes of organisations, including both public and private companies as well as government entities and non-profit organisations without replacing applicable data protection legislation and regulations.

ISO/IEC 27018 requires from providers to always act under the instructions of the client; thus, providers are bound to have in place a clearly defined policy on return, transfer or destruction of PII, to enter into confidentiality agreements with staff having access to PII and provide them appropriate training, to disclose the names of any sub-processors and their possible locations, to have the customer’s explicit consent for any use of PII for secondary purposes (i.e. marketing, advertising, data analytics). In case of data breaches, cloud providers are now required to provide immediately notice to customers and to record the type, time and consequences of the breach.

ISO/IEC 27018, responding directly to EU regulators’ calls for the introduction of an auditable framework for cloud providers entails benefits for all parties involved (providers, customers, data controllers), mainly because it ensures confidentiality and security of PPI and it establishes an advanced common set of security categories and controls thus creating a mechanism to audit cloud providers’ compliance and eventually their quality. But also data controllers wishing to use cloud service providers to process PII, are profited because all processes (e.g. names of sub-processors, processing locations etc.) would be disclosed prior to the conclusion of a cloud contract.

In Greece, ESYD (ΕΣΥΔ), the National Accreditation System has not proceeded yet to the assignment of the accreditation process to a body which will certify compliance of cloud service providers with the new standard.