Historically, businesses have called for greater connection between the legal requirements of European data protection law and the requirements of information technology standards. The new International Organization for Standardization (ISO) standard for securely processing personal information in cloud computing environments, ISO 27018, could be a significant and major first step toward creating technical standards that take privacy legal requirements into account.1 While its effects on compliance under the forthcoming EU General Data Protection Regulation (GDPR) remain to be seen, ISO 27018 offers a promising look at what a more harmonized data protection regime might look like.
ISO 27018 is revolutionary because it was designed for user privacy protection. The certification combines legal requirements for data processing with technical criteria for information security systems. The goal of ISO 27018 is to provide a set of uniform security controls to public cloud computing service providers who act as personal data processors. Data processors can certify to their implementation, upkeep, and management of security controls. For globally operating cloud service providers, this certification is an easy and widely accepted signal of compliance. The first service to certify was Microsoft Azure in February 2015.2 Other Microsoft products to certify include Office 365, CRM Online, and Intune. Dropbox for Business also certified three months later.3 ISO 27018 is particularly attractive for U.S.-based cloud service providers with a strong EU presence, as ISO 27018 certification provides a good baseline for establishing much needed trust in cloud services in the EU. ISO certification always has been a strong sign of accountability and trustworthiness.
ISO Background
ISO is an independent non-governmental organization that develops international standards, and is the largest standards issuer of its kind. Its members are from 164 standards organizations around the world. Its goal is to provide businesses with common and internationally accepted standards. Businesses can certify to certain ISO standards,4 which can be helpful for all entities and consumers along the value chain. While ISO standards are not mandatory, ISO certification is a very powerful, globally influential signal that has become a de facto market standard in numerous industries.
While ISO develops international standards, it does not get involved in the certification process and does not issue certificates. Rather, external, nationally accredited certification bodies issue certificates according to ISO standards.
ISO 27018 Within the ISO Certification System
All certifications that belong to the ISO 27000-series are also called ISO27k or the Information Security Management System (ISMS) family. The ISMS family covers data privacy and confidentiality, as well as technical security of IT infrastructure. A cornerstone of the ISMS family is ISO 27002, which gives a code of practice for information security management.5 ISO 27018 is based on ISO 27002, but makes adjustments for the specific risk environment inherent in processing personal data on a public cloud. ISO 27018 has an implementation guide for ISO 27002 controls. Also, ISO 27018 Annex A lists additional controls and guidance for public cloud service providers processing personal data.
ISO 27018 has four main certification objectives:6
- Easing compliance. It becomes easier for public cloud service providers to comply with data protection laws when they act as personal data processors.
- Transparency. Transparency amongst cloud service providers is increased. Customers can vote with their feet and select a well-governed and securely run cloud for their services.
- Lower transaction costs. Concluding a contract between a cloud-based data processor and a cloud service customer will become easier if the baseline is set by an ISO standard.
- Customer audit and compliance rights. Cloud service customers have a way to enforce the upkeep of security standards of the cloud infrastructure. This includes increased physical and logical network security controls on data centers.7
Personal Data Protection Requirements in ISO 27018
The core objective of the ISO 27018 standard is to protect personal data from a data breach.8 ISO 27018 includes the following requirements:
- Process as little data as possible. The privacy principle of data minimization or scarcity is mirrored by the consent structure that ISO 27018 requires. Also, cloud service providers must not use personal data for marketing or advertising unless the data subject has explicitly agreed to it. (ISO 27018, Annex A.4.1 and A.5.1)
- Implement technical and organizational security measures, such as prohibiting portable hard drives containing personal data from leaving the processor’s facilities. (ISO 27018, No. 6, 9, 11, 12 and Annex A.10)
- Implement encryption techniques to secure personal data transmission channels. (ISO 27018, No. 10)
- Require sub-contractors of the data processor to abide by the same standards as the contracted processor and inform customers about where their data physically resides. Also, allow customers to ask the processor to disclose all subcontractors. (ISO 27018, Annex A.10.12 and A. 11)
- If a data breach occurs, the cloud service provider has notification obligations to communicate the incident clearly and promptly. (ISO 27018, No. 16)
- The cloud service provider must undergo regular third-party audits to keep the certification valid.9
Data Protection Laws Overlapping with ISO 27018
Trust in public cloud services has been a constant stumbling stone for cloud service providers in the EU. New laws are forthcoming that set the data protection and privacy standards higher, and ISO 27018 catches this wave and helps with the compliance process. Numerous ISO 27018 certification components such as its consent requirement and breach notification obligations will also become part of the new GDPR. This is a positive development for two reasons. First, the GDPR will directly apply as an EU-wide regulation that does not need national implementation. For internationally operating cloud service providers, this eases legal compliance across EU countries substantially. Second, the certification standard conveniently overlaps with the GDPR. Companies can now use ISO 27018 to signal legal compliance in those overlapping areas.
Nevertheless, this does not mean that ISO 27018 is congruent with the GDPR. ISO 27018 covers the largest scope of privacy and data protection law requirements to date in a certification, but it is limited to data processors. It also leaves crucial data protection law compliance elements out of scope. Outsourcing (e.g., sub-processor agreements) and data transfers outside of the EU (e.g., subscribing to Safe Harbor) remain complex legal issues that must be addressed separately, as ISO 27018 certification does not cover these points.
Conclusion and Outlook
While the U.S. and the EU take very different approaches to regulating data privacy and security, strong signals of reliability, accountability, and compliance have high value in both markets. Aside from being legal requirements, they are also trust-building tools. In today’s environment of increasingly large, costly, and frequent data breaches, companies in both jurisdictions are looking for ways to ensure that their data will be held and processed securely and in compliance with relevant laws, rules, and contractual requirements.
The ISO 27018 standard and corresponding certification is an important step toward a more harmonized international data privacy regime. It is a practical and uniformly accepted standard with strong brand recognition and signaling effect. The certification is a commitment that regulators, other businesses, and customers will recognize and reward with greater trust in a cloud provider’s service.
1 In August 2014, the ISO adopted ISO 27018, titled “Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.”
2 See Microsoft Azure announcement dated February 16, 2015: https://azure.microsoft.com/blog/2015/02/16/azure-first-cloud-computing-platform-to-conform-to-isoiec-27018-only-international-set-of-privacy-controls-in-the-cloud/, last accessed August 12, 2015.
3 See Dropbox Blog announcement dated May 18, 2015: https://blogs.dropbox.com/business/2015/05/dropbox-for-business-iso-27018/, last accessed August 12, 2015.
4 ISO certifications are performed by nationally accredited third party certification bodies that can issue certificates according to ISO standards.
5 ISO 27002 covers topics such as information security policies and their organization, HR security, asset management, access controls, cryptography, securing the physical environment, operational security such as protection from malware and technical vulnerability controls, incident management, and compliance.
6 ISO 27018, p. vi.
7 Cloud computing received its name because of the symbol representing a server. When computer scientists visualize a server, it is represented by a circle. Draw many circles next to each other and in overlap to have the representation of a data center, it looks like a cloud.
8 ISO 27018 defines a data breach as a “compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.” ISO 27018, Sec. 3.1, p. 2.
9 An example is Dropbox’s certificate, https://www.dropbox.com/static/business/resources/dropbox-certificate-iso-27018.pdf