All this week, I have been blogging about the new ISO/IEC 27018 Standard and what it means for protecting personal information in cloud-based services. So, what does the Standard actually offer?
The standard gives new, clear guidance based on EU Data Protection Authority input on how a data processor should protect customer data, including a requirement that providers must either stop mining customer data for advertising purposes, or gain explicit consent to do so. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
Whereas other standards and processes require fast responses and repairs in order for a Service Level Agreement to remain in force, the ISO 27000-series of standards require identifying and fixing the root causes of the problems that arise. This approach is essential to the long-term information security as well as to the health of privacy-protecting cloud infrastructure.
1. Spelling out the true cost of the “free lunch” of many online services
Barely a week goes by without a new concern being raised about how cloud service providers use customer data. Nowhere is this more prominent than in the concern about use of personal data for advertising. Of course, some service providers will always find disingenuous ways to claim that the people most affected are not really their customers but just “users” – they would assert that their customers are the advertisers and that users simply consent to exchange their personal data for some “free” service.
People are rightly worried that their data is used or misused for such purposes without their express consent – only to be told, if they do decide to take up the cause, that consent is an implicit or explicit condition for use of the service. The ISO 27018 Standard can help here – a service provider who claims compliance with the controls and best practices laid out in the Standard will only use customer data as intended for use within the particular service. They cannot use that data for additional purposes such as advertising or marketing without the customer’s express consent. Most significantly, if they comply with the ISO 27018 controls, they cannot make it a condition of use of the service that a person is effectively coerced to allow use of their personal data for advertising and marketing. Those all-too-common, often misleading, “we value your privacy” statements will finally have to mean something.
2. Transparency and Peace of Mind
Using a cloud service provider that conforms to the controls specified in ISO 27018, will provide peace of mind to customers, confident that the provider will return, transfer, or securely dispose of any personal data at the customer’s request, and within a reasonable period of time, as required in the Standard, for customers leaving their service.
A cloud service provider may have legitimate (but still clearly defined and limited) reasons for retaining customer data – imagine you forgot to renew a cloud service subscription and everything you had patiently assembled disappeared the following day! Or they need to hold on to billing information and history for accounting purposes. But once a clearly defined retention period has passed, data will be permanently deleted and removed from those services. The customer, and all data associated with them, can be “forgotten” by the cloud service.
3. Transparency of sub-processors
It is not sufficient for a cloud service provider to not know – or pretend not to know – about what their own suppliers and contractors that also handle personal data are up to. Such sub-processors, as they are known, help service providers with data storage, processing and security. ISO 27018 requires providers to be clear about who they work with before customers enter into a contract. If those relationships or partners change, then customers have an opportunity to object or terminate their agreement.
4. Don’t just take the provider’s word for it!
If in doubt – check it out! Customers can rely on independent third party verification that a particular supplier really is implementing the controls that ISO 27018 requires. Cloud service providers must go through a rigorous certification process by an accredited and independent certification body in order to In order to be verified as compliant. And that isn’t a one-off procedure either: providers must submit to regular, periodic review in order to maintain their certification as conformant with the standard.
5. Globally applicability
The ISO 27018 standard has taken into account public policy from around the world as it incorporates input from many regional regulators. Conform to the standard, and a cloud service provider makes the whole job of conforming to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and compliance in an increasingly cloud-based information environment.
6. Protecting against unintended consequences
The massive flows of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many providing cloud services – even if their primary business may not be the handling of sensitive or personal data. Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect even accidental or unintended release of PII.
So, in summarizing this series of posts: what to look out for…
….as a cloud service customer
It may be early days to be already asking cloud service providers to demonstrate conformance with the ISO 27018 or asking for their certification of compliance – but organizations don’t magically conform overnight and nudging a supplier in the right direction – or if you are a supplier, nudging your services to examine this – is a good move. It is already worth asking whether the specific privacy controls covered in the standard will be included in future audits of their cloud service offerings.
If these controls are to be included and the audits are completed, as a customer you should be looking to see that these new privacy controls are included as part of a contractual commitment to maintain a data security policy that complies with ISO 27001.
…and as a cloud service supplier
As a supplier, likewise – it could become a valuable differentiator for you to demonstrate such compliance or that you are using cloud service suppliers that complies.
Plan to apply the guidance in ISO/IEC 27018 to all customer data, even if you do not have visibility into the presence or absence of PII in the data that you process for customers – given the increasing complexity of data flows between cloud services and multiple types of device, it is difficult to be 100% certain that no PII is ever compromised. Better safe than sorry.
Privacy is not just a technology and engineering problem: information security and data protection can certainly be addressed with increasingly sophisticated tools and processes but privacy is a social issue with impacts well beyond the data stored and managed by cloud services. This requires that Boards look at the wider issues of harms and risks and in particular the consequences of decisions taken in their deployments of cloud services. ISO 27018 helps make that whole process clearer for all involved.
ISO 27018 emerged as a result of detailed feedback from, and dialogue with, privacy practitioners and regulators across the world. Organizations are faced with a simple question: do you prefer to voluntarily submit to using and following an agreed set of internationally approved standards or run the risk of further government regulation and intervention?
ISO 27018 helps customers and cloud service providers by ensuring that concrete guidance and specific controls for processing PII are addressed as part of an ISO/IEC 27001 audit. Many cloud service providers have commitments to information security management systems as defined in ISO/IEC 27001, and have thus, as part of that process, controls in data security policies that address protection of PII.
Certification against the ISO Standard on its own will not fix all privacy issues not is it in itself a guarantee of information security. Using it diligently and following the practices and guidelines recommended will however contribute to minimizing risk and improving an organization’s profile as a “good player” in the increasingly competitive world of cloud service suppliers.
ISO 27018 must be seen and used in the broader context of privacy strategy: as Trevor Hughes, CEO of the International Association of Privacy Professionals, put it recently: “Companies cannot view privacy as a compliance matter to be addressed by legal departments or a technical issue handled by IT…. “Rather, to avert public embarrassment and consumer backlash, they must set up ethical review processes and instill issue-spotting skills in employees throughout the organization.” ISO 27018 is a core component of that skill set.