Microsoft has become the first major cloud provider to adopt an international standard for cloud privacy.
The standard, known as ISO/IEC 27018, was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.
The British Standards Institute (BSI) has now independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of personally identifiable information in the public cloud. Similarly, Bureau Veritas has done the same for Microsoft Intune.
According to Microsoft, there are numerous benefits enterprise customers can realise from using cloud services that adhere to ISO 27018. Not only are they in control of their data, but they know what’s happening with it too. For example, Microsoft promises to be transparent about its policies regarding the return, transfer, and deletion of personal information stored in its data centres.
In addition, if there is unauthorised access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, Microsoft will notify its customers.
Adherence to ISO 27018 also provides a number of important security safeguards. It ensures that there are defined restrictions on how the service provider handles personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.
Enterprise customers can also be assured that their data won’t be used for advertising purposes without consent. Plus, the standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to customers first, unless this disclosure is prohibited by law.
“We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors,” said Brad Smith, general counsel and executive vice president of Legal and Corporate Affairs at Microsoft.
This latest development follows a number of measures that Microsoft has taken to strengthen privacy and compliance protections for its cloud customers. Last spring, for example, it received confirmation from European data protection authorities that Microsoft’s enterprise cloud contracts are in line with ‘model clauses’ under EU privacy law regarding the international transfer of data. And towards the end of 2014, Microsoft became one of the first companies to sign the Student Privacy Pledge developed by the Future of Privacy Forum and the Software and Information Industry Association to establish a common set of principles to protect the privacy of student information.
Share this story