5. Communication: In case of a breach, CSPs should
notify customers and keep clear records about the incident
and the response to it.
• Customers can rely on independent third party verification of the principles above. To remain compliant, the
CSP must subject itself to yearly third-party reviews.
6. Independent and yearly audit: A successful third-party audit of a CPS’s compliance documents its service’s
conformance with the standard, allowing for customer
reliance thereon and consequently supporting a customer’s
regulatory compliance. To remain compliant, the CSP must
subject itself to yearly third party reviews.
Kevin:
The above principles combine in a meaningful manner to
ensure that:
Well, Microsoft has certified under and contractually
commits to comply with the ISO 27001 standard. This now
includes the controls for which it has been audited and that
comprise the cloud specific standard of ISO 27018.
Additionally, Microsoft has and continues to make the
contractual commitments that support the protection of personal information and that have defined its long-committed
stance to privacy.
So how does this all tie-in with PoPI and the
Microsoft Cloud?
Theo:
Moreover, compliance with the controls established under
ISO 27018 now mean that customers in South Africa utilizing a Microsoft cloud service have a tangible and definitive
manner in which to structure and deliver on their compliance obligations under the Protection of Personal Information Act (“PoPI”).
By way of illustration; consider the data sovereignty obligations imposed under Section 72 of PoPI, and specifically
subsection 1 of the section that requires:
72. (1) A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a
foreign country unless—
(a) the third party who is the recipient of the information is subject
to a law, binding corporate rules or binding agreement which
provide an adequate level of protection that—
(i) effectively upholds principles for reasonable processing of the
information that are substantially similar to the conditions for the
lawful processing of personal information relating to a data subject
who is a natural person and, where applicable, a juristic person;
and
(ii) includes provisions, that are substantially similar to this section,
relating to the further transfer of personal information from the
recipient to third parties who are in a foreign country;
• Customers will always know where their data may be
stored and who is processing that data.
• Customers won’t need to worry that the CSP will use
their information for marketing and advertising without
their consent.
• Customers can be confident that the CSP will be
transparent about its ability to return, transfer, or securely dispose of any personal data at their request.
• Customers can rely on an ISO/IEC 27018 compliant
CSPs to help them to handle access, correction or
deletion requests.
• Customers can rely on ISO/IEC 27018 compliant
CSPs to notify them in the event of a security incident
resulting in unauthorized PII disclosure, and to help
them comply with their notification obligations.
• Customers can be confident that an ISO/IEC 27018
compliant CSP will only comply with legally binding
requests for disclosure of their data.
10 | www.firstdistribution.co.za
Legal jargon aside, it is clear that a Responsible Party
either needs a binding agreement or corporate rules that
reflect the principles of PoPI in order to transfer personal information outside the borders of South Africa, and in the absence of these, the data must be received into a jurisdiction
with law that mirror’s PoPI principles. In the last mentioned
circumstance it is impossible to make such a determination
without the necessary transparency regarding location of a
customer’s data.
Kevin:
So things are looking good for consumers in terms of overall trust when it comes to cloud then?
Theo:
Absolutely. Considering the above, one should feel confident that using a cloud service that complies with the ISO
27018 standard represents the strongest commitment by
a CSP to support a customer’s compliance with PoPI and
simultaneously build trust in the use of such services.