ISO 27018 is the first international set of privacy controls in the cloud, and Microsoft today announced that Azure is the first cloud computing platform to adopt ISO 27018.
“Today’s news is just one way we’ve been working to help strengthen privacy and compliance protections for our customers in the cloud. Last spring, we received confirmation from European data protection authorities that Microsoft’s enterprise cloud contracts are in line with “model clauses” under EU privacy law regarding the international transfer of data”, said Brad Smith from Microsoft.
Cloud service providers (CSPs) adopting ISO/IEC 27018 must operate under five key principles:
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control: Customers have explicit control of how their information is used.
- Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Read more about it here.