Although cloud computing is an increasingly important part of today’s business world, many companies still hesitate to use cloud services because of concerns about privacy and data security. These concerns often arise from the compliance issues that outsourcing data processing to a third party can create: Cloud customers fear that they will face additional challenges to complying with legal obligations such as providing access rights to data subjects and responding to data security breaches. Storing data with a cloud provider also can give rise to concerns about the ways in which the provider may use the data, where the data will be stored, and whether and how the provider may share the data with third parties, including law enforcement agencies.
The International Organization for Standardization (ISO) recently adopted a voluntary standard designed to address many of these concerns: ISO 27018, the first voluntary international standard for processing information that is specifically tailored for cloud providers. The new standard builds on pre-existing ISO standards for information security management, but also provides a solution for cloud providers to comply with strict legal requirements and common customer demands. By integrating many of the more demanding cloud security requirements from the European Data Protection Directive and addressing requirements that often apply to government cloud customers, ISO 27018 allows cloud customers to easily evaluate the data security practices of cloud providers and choose the appropriate provider for their security needs.
A central focus of ISO 27018 is increased transparency by cloud service providers. Before the provider and the customer enter into a contract, ISO 27018 requires the provider to disclose the identity of any sub-processors, as well as possible locations where the data might be stored. In addition, providers are required to process personal information in accordance with the customer’s instructions. If their storage locations or processing methods change, providers who comply with ISO 27018 will have to inform their customers, who will have the option to object to the change or terminate their cloud services agreement.
The new standard also requires cloud providers to offer tools to help their customers comply with their data protection obligations to end users, including allowing end users to access, correct, or erase their personal information. Compliant cloud providers can only process personal information for marketing or advertising purposes with a customer’s express consent, and cannot require consent as a condition of receiving services. ISO 27018 also requires providers to restrict third-party access to information customers store in the cloud. Providers may not disclose information to law enforcement unless they are legally required to do so, and must assist customers in complying with their notification obligations to end users in the event of a data breach.
Other requirements imposed by ISO 27018 include independent information security reviews at planned intervals, as well as confidentiality agreements and appropriate training for all cloud provider employees who can access personal data. Finally, cloud providers who choose to comply with ISO 27018 must ensure that customers can control their data by implementing a policy for the return, transfer, or disposal of personal data.
Taken together, the ISO 27018 requirements represent a notable development in cloud computing. By including many requirements imposed by EU law, the new standard may provide customers with sensitive data or that are subject to stringent data security regulations a quick reference point to evaluate the security practices of cloud service providers. In addition, ISO 27018 requires cloud providers to disclose key information that will allow cloud customers to assess the legal implications and risks that can result from choosing to store their data in the cloud. Cloud service providers’ compliance with this standard could prove to be a key differentiator in the marketplace and increase businesses’ adoption of cloud-based services.