ISO/IEC 27018:2014 – Data Privacy in the Cloud
1 December 2014 – Some weeks ago, ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) published the new standard ISO/IEC 27018:2014 (ISO 27018) regarding data privacy in the cloud. It provides for a many-faceted protection of personally identifiable information (PII) being processed in public clouds. This new standard is specifically directed at cloud services providers.
ISO 27018 sets out standards, controls and guidelines, including substantial notification, information, transparency and proof obligations for cloud services providers. In particular, it provides for the following undertakings for cloud services providers:
- PII may only be processed in accordance with the instructions provided by the cloud services customer.
- The cloud services providers shall offer tools supporting their customers in their undertakings to grant the individuals (to whom the PII relates) access to their PII and to change, erase or correct their PII.
- The cloud services providers shall disclose in advance all relevant subcontractors as well as the countries in which PII is processed.
- Mandatory rules for the transmission, return and use of PII shall be implemented.
- In case of breach of security resulting in the disclosure, alteration or loss of PII, the cloud services providers must immediately inform their customers. Further, the cloud services providers are obliged to record any such breach of security, including the relevant dates, the expected consequences as well as the measures taken in order to solve the problem.
- Independent third parties shall regularly review the cloud services of the cloud services providers.
This new standard is an interesting approach and various cloud services providers announced that they will review ISO 27018 and consider an ISO 27018 certification.
However, it remains to be seen how many cloud services providers will actually implement ISO 27018 and whether this code will become a general standard as regards data privacy in the cloud. Furthermore, it is to be noted that certification under ISO 271018 does not per se imply compliance with the requirements set out in the Swiss data protection legislation, especially in light of the fact that ISO 27018 only protects personal information relating to individuals (as opposed to Swiss law which protects personal data relating to both individuals and legal entities). A case-by-case approach and review is therefore still required.