Microsoft has become the first major cloud provider to adopt the world’s first international standard for cloud privacy.
Brad Smith, general counsel and executive vice-president: legal and corporate affairs at Microsoft, points out the ISO/IEC 27018 standard establishes a uniform, international approach to protecting privacy for personal data stored in the cloud.
The British Standards Institute (BSI) has now independently verified that, in addition Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. Bureau Veritas has done the same for Microsoft Intune.
Smith says that adherence to ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways:
* The user is in control of their data. Adherence to the standard ensures that we only process personally identifiable information according to the instructions provided.
* Users know what’s happening with their data. Adherence to the standard ensures transparency about Microsoft’s policies regarding the return, transfer, and deletion of personal information stored in its data centres. So the company can tell users where their data is, and who else might have access to it. In addition, if there is unauthorised access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, the user will be informed.
* Microsoft provides strong security protection for users’ data. Adherence to ISO 27018 provides a number of important security safeguards. It ensures that there are defined restrictions on how Microsoft handles personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.
In addition, the standard ensures that all of the people, including the company’s own employees, who process personally identifiable information must be subject to a confidentiality obligation.
* Users’ data won’t be used for advertising. Enterprise customers are increasingly expressing concerns about cloud service providers using their data for advertising purposes without consent. The adoption of this standard reaffirms Microsoft’s commitment not to use enterprise customer data for advertising purposes.
* Microsoft will inform users about government access to data. The standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to the user as an enterprise customer, unless this disclosure is prohibited by law. Microsoft already adheres to this approach, and adoption of the standard reinforces that.
“All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations” Smith writes on the company blog. “We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.”
