Making Cloud SLAs readily usable in the EU private sector

Wanted: An international standard for cloud privacy

Enterprise customers around the world want an international standard for cloud privacy.  Now there is one, and cloud providers are starting to recognize its value to their customers. It’s known as ISO/IEC 27018, and it was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.

Why does this matter to you?  The reasons are multiple. Adherence to ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways:

  • You are in control of your data. A cloud service provider’s adoption of the standard ensures that it will only process personally identifiable information according to the instructions that you give to the provider.
  • You know what’s happening with your data. Adherence to the standard ensures transparency about the provider’s policies regarding the return, transfer, and deletion of personal information you store in data centers.  You’ll know where your data is, if the provider is working with other companies who need to access your data, and if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information.
  • You get strong security protection for your data. Adherence to ISO 27018 ensures that there are defined restrictions on how a provider handles personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts. 
  • Your data won’t be used for advertising. Enterprise customers are increasingly expressing concerns about cloud service providers using their data for advertising purposes without consent. 
  • You’ll be informed about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law. 
Microsoft is the first major cloud provider to adopt the ISO 27018 standard, as verified by independent auditors.  We’re also optimistic that ISO 27018 can become a common template for regulators, vendors and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.