The Cloud, Regulations, and PII

In late July 2014, with very little fanfare, the International Standards Organization (ISO) published ISO/IEC 27018. The standard outlines controls and guidelines for implementing Personally Identifiable Information (PII) protection for public cloud computing environments. ISO 27018 builds on the existing ISO/IEC 27001 and ISO/IEC 27002 frameworks for information security systems.

The new standard applies to any public and private companies, government entities, and nonprofits, which provide PII data storage and processing services via cloud computing. It is the first privacy-specific international standard for the cloud and creates a common set of security controls which public cloud service providers (CSPs) processing PII can implement.

In order to comply with ISO 27018 guidelines, CSPs must follow 5 key principles:


CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.


Customers have explicit control of how their information is used.


CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.


The standard asserts that any breach of information security should trigger a review by the service provider to determine if there was any loss, disclosure, or alteration of PII.


In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it. The ISO 27018 certification requires companies with cloud offerings to be audited by an accredited certification body and agree to submit to periodic third-party reviews over time. Once a company is certified, it will have to build 27018 requirements into new and existing contractual obligations. Additionally, companies will have to notify customers about law enforcement data requests in a timely, transparent manner.

Adoption of 27018 has been slow, and currently, only six companies, globally, have been certified as ISO/IEC 27018 compliant: Microsoft, Google Apps, Amazon Web Services, Dropbox, Workday, and Ribose, a small firm based in Hong Kong.

Early adopters stand to benefit. As regulatory changes across the globe are profoundly impacting the way companies transfer, store, and consume customer and internal data. In Europe, for example, the longstanding Data Protection Directive (95/46/EC), which governs how PII is handled, will be replaced by the EU General Data Protection Regulation (GDPR). ISO 27018 directly addresses the EU regulatory need for a cloud computing audit and compliance framework in order to build trust in the technology, so any company ready to go out of the gate, will already be a head of the pack.