In July 2014, the ISO and the IEC published the ISO 27018 norm (ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors). This is the first norm which describes the safety rules for data constituting PII in the cloud computing and it takes into account learnings from various jurisdictions, including member states of the European Union.
The technological development which has occurred over recent years has meant that both entrepreneurs and ordinary users have begun to look for new ways of storing data and using services which would be easily accessible in any place and at any time. A consequence of this process was the creation of tools making it possible to process data in the cloud. A need also arose to develop solutions as regards ensuring safety of information stored in the cloud. As very often data entrusted for processing are personal data protected in various ways in accordance with the legislation of numerous states, a question arose as to the quality and uniformity of data protection standards applied by global cloud service-providers operating on a trans-national basis. The need to standardize the safety rules for processing personal data in the cloud and to increase confidence of users in the processing of data in a cloud meant that the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) began their work on a collection of standards and guidelines concerning safety of processing of data constituting so-called PII (Personally Identifiable Information).
In July 2014 the ISO and the IEC published the ISO 27018 norm (ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors). This is the first norm which describes the safety rules for data constituting PII in the cloud computing. The basic objective of the new norm is to create a set of rules concerning safety of processing of PII by entities which provide services involving processing of data in the cloud whilst taking account of such assumptions as, for example, transparency of the service from the user’s point of view, determining clear standards with regard to the rights and obligations of the service-provider and of the user, or the introduction of basic rules making it possible to process data whilst ensuring compliance with legal requirements in force in various jurisdictions. The norm may be implemented by various entities, including firms, public entities, as well as non-profit organizations which carry out activities in the field of processing of data in the cloud.
The new standard imposes certain obligations on service-providers which include in particular:
- the obligation to ensure users control over the processing of their data,
- the obligation to ensure users the possibility to access, correct and delete data;
- the obligation to ensure that the data of users are processed in accordance with their instructions and indicated objective, as well as
- the need to ensure restrictions in disclosure of and access to data on the part of third parties, e.g. sub-contractors (the obligation to ensure confidentiality; the obligation to disclose sub-contractors to the users).
The implementation of ISO 27018 will make it possible to better protect data made available by users. The ISO 27018 standard will undoubtedly be a popular tool in the hands of global providers who offer services involving the storage of data in the cloud. At present, the most common problem of providers is the need to adapt the services to the standards of data protection in force in various states and jurisdictions. Thanks to the ISO 27018 norm, which takes into account the experience and developments to date of numerous jurisdictions, including European legislation, a service-provider will be able to easily show that it has implemented the basic rules of data safety. Needless to say, it will increase its credibility in the eyes of users. There is no doubt that applying the ISO 27018 standard will have a very positive impact on the perception of service providers. Therefore, one should expect that global IT firms will soon commence the implementation process of the new standard.