ARTICLE
12 February 2015

ISO 27018: Data Protection Standards For The Cloud

SE
Stikeman Elliott LLP

Contributor

Stikeman Elliott LLP logo
Stikeman Elliott is a global leader in Canadian business law and the first call for businesses working in and with Canada. We provide clients with the highest quality counsel, strategic advice, and creative solutions. Stikeman Elliott consistently ranks as a top law firm in our primary practice areas. www.stikeman.com
ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII.
Canada Privacy

In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.

ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII. 

The standard requires cloud service providers to, among other things:

  • only process PII in accordance with the customer’s instructions;
  • only process PII for marketing or advertising purposes with the customer’s express consent;
  • implement tools that enable customers to comply with PII access, removal and correction requirements;
  • disclose to the customer the identity of subcontractors and any possible locations where PII may be processed;
  • ensure that personnel who have access to PII enter into confidentiality agreements and receive appropriate training;
  • only disclose PII to governmental or regulatory authorities when legally obligated to do so; and
  • assist customers in complying with notification obligations in the event of a security breach.

The standard may be of particular interest to customers in highly regulated industries, such as financial services and insurance, since compliance by a customer’s service providers with the standard may provide a better quality of assurance to the customer’s regulators.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More