Data Privacy: Standard Requirements

by admin

Previous article in series – Data Privacy: Jurisdictional Differences

When an organization embarks upon a path designed to improve its security posture, operational efficiency, or cultural behavior, there are many established codes of practice that can be utilized. Some of these codes of practice or guidelines come with the capability of certification.

ISO/IEC 27018:2019

ISO/IEC 27018:2019 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud personally identifiable information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.

Cloud service providers adopting ISO/IEC 27018:2019 must operate under five key principles:

  • Consent: Cloud service providers must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for customers to use the service without submitting to such use of their personal data for advertising or marketing.
  • Control: Customers have explicit control of how their information is used.
  • Transparency: Cloud service providers must inform customers where their data resides, disclose the use of subcontractors to process PII, and make clear commitments about how that data is handled.
  • Communication: In case of a breach, cloud service providers should notify customers, and keep clear records about the incident and the response to it.
  • Independent, yearly audit: A successful third-party audit of a cloud service provider’s compliance documents the service’s conformance with the standard, showing it can be relied upon by customers to support their own regulatory obligations. To remain compliant, the cloud service provider must subject itself to yearly third-party reviews.

Trust is key for consumers leveraging the cloud, and therefore vendors of cloud services are working toward adopting the stringent privacy principles outlined in ISO/IEC 27018:2019.

Generally Accepted Privacy Principles (GAPP)

The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have developed tools, processes and guidance based on Generally Accepted Privacy Principles (GAPP) to assist organizations in strengthening their privacy policies, procedures, and practices.

Privacy is often regarded as a legal or technical subject. The GAPP report proves privacy is a business subject, as the impact of privacy violations reaches beyond technical or legal boundaries. The report provides examples of the outcome of inadequate privacy policies and procedures such as employee distrust, damage to the organization’s reputation, lost business and resulting reduction in revenue and market share, and liability in identity theft in the cloud.

Privacy Definition

Privacy is defined in Generally Accepted Privacy Principles as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information.

The 10 main privacy principle groups are:

  • Management: The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  • Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
  • Choice and consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
  • Collection: The entity collects personal information only for the purposes identified in the notice.
  • Use, retention, and disposal: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
  • Access: The entity provides individuals with access to their personal information for review and update.
  • Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
  • Security for privacy: The entity protects personal information against unauthorized access (both physical and logical).
  • Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
  • Monitoring and enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related inquiries, complaints, and disputes.

Next article in series: Data Privacy: Maturity Model

1 thought on “Data Privacy: Standard Requirements

  1. Pingback: Applying Controls for Personally Identifiable Information (PII) – Cloud Gal 42

Leave a Reply

Your email address will not be published. Required fields are marked *