Microsoft recently announced that they are the first major cloud provider to adopt the International Organization for Standardization (ISO) standard for protecting privacy for personal data stored in the cloud. The standard is ISO/IEC 27018, and it establishes a uniform and international approach to protecting data privacy. The British Standards Institute (BSI) has independently verified that Microsoft Dynamics CRM, Azure, and Office 365 are compliant with the standard’s code of practice for the protection of personally identifiable information (PII) in the public cloud.
Brad Smith, Microsoft General Counsel & Executive Vice President, Legal and Corporate Affairs, gives us a number of reasons why this matters:
- Microsoft’s adherence to the standard ensures that they only process PII according to the instructions provided to them by their customers.
- Adherence to the standard ensures transparency about Microsoft’s policies in regards to the return, transfer, and deletion of personal information stored in their data centers. If there is unauthorized access to PII, Microsoft will alert the customer.
- Adherence to ISO/IEC 27018 ensures that there are defined processes for how PII is handled, including restrictions on its transmission over public networks and storage on transportable media, as well as proper processes for data recovery and restoration efforts. In addition, the standard ensures that all of the people who process PII must be subject to a confidentiality obligation.
- Your data will not be used for advertising purposes without consent.
- The standard requires that law enforcement requests for the disclosure of PII data must be disclosed to the enterprise customer, unless prohibited by law.
Microsoft had already been practicing much of what the standard calls for, and more, but the adoption and independent verification of ISO/IEC 27018 adherence provides confidence that with Microsoft, your data will be protected the way you need it to be.