The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the processing of personal data across the EU. Personal data is any information about identifiable, living people (known as data subjects). It is an extraterritorial law, meaning it operates both within the EU as well as outside of it for organisations that wish to provide goods or services into the EU.
ISO 27018 stands for ISO/IEC 27018 information technology – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It is all about how to protect personally identifiable information that is stored in the public cloud. The standards provide a compliance framework and seek to protect personal data from unauthorised use. The ISO 27018 builds on existing standards in security such as the ISO 27001 and ISO 27002 which set out more general security principles. The ISO 27018 however, is a highly specific set of principles seeking to address cloud-specific security.
What is the ISO/IEC?
The International Organisation for Standardisation (ISO) is an independent international organisation. It has 161 national standards bodies as members. Members share knowledge and develop voluntary standards for many industries such as technology, food safety and healthcare. The ISO/IEC is a joint technical committee between the International Organisation for Standardisation (ICO) and the International Electrotechnical Commission (IEC). It was formed as a merger in 1987 to develop baseline standards in the IT industry for other committees to build on. The ISO/IEC was responsible for forming the ISO 27018.
Details of the ISO 27018
Outlined below are the standards published by the ISO that public cloud services should comply with.
- Personal data must be processed in accordance with the customer's instructions.
- Valid consent must be gained before using an individual's personal information for marketing or advertising.
- You must help customers to fulfil requests when individuals assert their right to access their data.
- Information should only be given to law enforcement bodies when legally required to do so.
- Before allowing a customer to enter into a cloud contract you must disclose the names of any sub-processors and the locations where personal data may be processed.
- If a data breach occurs you must assist customers in reporting it to law enforcement bodies. Having plans in place for when data breaches occur facilitates business continuity.
- Policies must be in place to return, transfer and dispose of personal data securely.
- You must conduct independent security reviews at scheduled intervals.
- It is your responsibility to ensure staff who have access to personal data sign confidentiality agreements and are appropriately trained.
In order to be ISO 27018 certified, cloud services must undergo an audit with an accredited body. To maintain this certification the cloud service must engage in regular third-party reviews.
Why is the ISO 27018 Important?
Compliance with the EU GDPR is lawfully required and data protection training can enable you to do this. The ISO 27018 is important in providing a set of rules specific to cloud usage. Vast quantities of our data are now held in the public cloud, necessitating thorough protection requirements. The dramatic consequences of data breaches can include individual loss of rights and freedoms, identity theft, monetary penalties and huge loss of reputation for the responsible data controller. Compliance with the ISO 27018 can help to protect personal data and ensure it is treated in accordance with the law.