In Q3 of 2014, the International Standards Organisation (“ISO”) published a new standard for the cloud service providers: ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (“ISO 27018″).
In 2012, the European Commission published Unleashing the Potential of Cloud Computing in Europe which is a strategy to expedite and increase the use of cloud computing across all of the EU’s economic sectors. According to the Commission, the strategy was a result of an analysis of the overall policy, regulatory and technology landscape with a view to identify ways to maximise the potential offered by the cloud . One of the strategy’s key objectives is to cut through the jungle of standards so that users enjoy operability, data portability and reversibility. Arising from the Commission ‘s strategy and also the urgings of the Article 29 Working Party (See: Opinion 05/2012 On Cloud Computing) for the facilitation of the protection of personal data in the cloud, the ISO developed ISO 27018.
The new standard provides guidance for cloud service providers that process personal data and offers controls which the providers must implement to minimise specific risks. Therefore the standard assists data controllers to comply with their obligations under Article 17 of Directive 95/46/EC (as transposed into law in Ireland by the Data Protection Acts 1988 and 2003) to implement the “appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
ISO 27018 draws from ISO 27001 and 27002 with the controls targeted by the latter standards being supplemented by ISO 27018 and whereas the focus of the older standards are generally that of confidentiality and integrity of data, the new standard is more targeted at the control the privacy of information from the perspective of a personal data processor (or Personally Identifiable Information processor as it is referred to in the standard). As the text of the new standard notes, ISO 27002 is the foundation upon which the new standard is built and the new standard augments the controls of ISO 27002 to “accommodate the distributed nature of the risk and the existence of a contractual relationship between the cloud service customer and the public cloud PII processor”.
Throughout the EU and the EEA there is growing concern amongst citizens of Member States as to the security of data in general and particularly in relation to data stored in the cloud. It is hoped that the process of auditing and certification by a third body of the cloud providers that adopt the new standard will ease some of these concerns. There are advantages for the cloud service provider also: by implementing the standard in full the cloud service provider can comply with its legal obligations and it can transparently demonstrate that compliance to prospective customers.
The controls set out in ISO 27018 (e.g. Information Security; Organisation of Information Security; Human Resource Security; Asset Management; Asset Control; Cryptography; Physical and environment security; Operations and communications security) demonstrate a focus of the standard to be on technical security principles and procedures. Notwithstanding this, the standard generally aligns with the principles of Directive 95/46/EC. Further there are controls that place an obligation on the cloud service provider to inform its customer of possible storage locations of the data and where the provider has received legally binding requests in respect of the data.
The standard also incorporates aspects of the proposed principle of accountability under the General Data Protection Regulation (currently slowly winding its way through the EU legislative process) whereby the data controller would be obliged to put in place the appropriate measures to ensure compliance with data protection principles and, critically, to be able to demonstrate its compliance with those principles. The standard may assist data controllers to show that their cloud service providers are in compliance with the principle of accountability by way of the audit and certification of a third body. However, it is important to note that whilst the standard provides companies with the building blocks to demonstrating full compliance with data protection rules, compliance with the standard is not necessarily determinative of compliance with data protection rules.
In the main, ISO 27018 should be a welcome development as it provides a set of controls that are subject to audit by third bodies which inevitably, when implemented by cloud service providers, will engender compliance, accountability and transparency. In doing so, the standard will help bridge the trust gap that has emerged in recent years in between cloud service providers, their customers and data subjects.
If you are a data controller that would like to discuss ISO 27018 in more detail. Please contact Adrian Smyth at firstname.lastname@example.org │+353 1 8725155