Data privacy is always news. Whether photos of celebrities have been hacked from the cloud, or enterprises holding data have been attacked, information leaks are a source of constant interest. And while there is always an element of voyeurism in the interest, at least some part of it is probably because most of us are aware of how much of our private and personal data is held online, and how it could so easily be us next.
In the world of data centres, this concern is not just an abstract interest, but a very real awareness of responsibility.
Setting standards for data centre infrastructure
We have written before about the European Data Centre Association, or EUDCA. It has been part of developing standards for data centres across European region, to the extent that there will soon be a complete set of standards for non-IT infrastructure and PHYsical communication layer for European data centres. The reference standard, however, remains the US Telecommunications Infrastructure standard for data centres.
Among these standards, it may surprise you to learn that there is one on protection of personally identifiable data, ISO/IEC 27018. But perhaps this isn’t so surprising. A 2012 survey of global cloud providers by consulting giant KPMG International found that data loss and privacy risks were one of the biggest challenges to customer cloud adoption. A massive 39% of respondents cited it, with only loss of control and integration with existing architecture causing more concern.
EUDCA has been involved in developing the personally identifiable data protection standard since April 2013, with one of its cloud provider members in the lead. The aim of the work is to draw up a code of conduct for data protection controls for public cloud computing services.
Defining personally identifiable information (PII)
Personally identifiable information, or PII, is defined as any information that can be used to identify the person to whom it relates, or is or might be directly or indirectly linked to a person. By anyone’s standards, that definition is very wide. PII principals, or data subjects, are people to whom PII relates, and PII controllers, or data controllers, are those who hold the data, and determine for what purposes and how it will be processed. This is overseen by the PII Protection Authority, which varies by jurisdiction.
EUDCA has noted growing demand from PII controllers to use cloud service providers as PII processors. This is a great opportunity for cloud service providers, but means that they have to be able to demonstrate that customers and regulators can have confidence in PII processing in the cloud. Data controllers also need to be able to select a PII processor on the basis of quality.
Developing standards for PII processing
This goes some way to explaining the development of standards and certification: a formal way to demonstrate that cloud is ‘safe’ for PII processing. Certification that they meet these standards will allow PII processors to demonstrate their quality. The standards will of course need to work well with what’s already there, including existing PII processing obligations, as organisations will otherwise not adopt them. But they also need to work in the future, as both cloud infrastructure and privacy regulation develop, which requires some level of flexibility.
The development process has drawn heavily on existing law on data protection in the EU states. Using these laws, 70 new controls and guidance have been drawn up to cover EU laws. Consultation with the industry has enabled them to be adapted and updated to make sure that they work. The next stage was to eliminate overlap with existing standards, leaving only the new guidance and controls for ISO/IEC 27018. Pragmatically, the new standards use the same management system as the earlier standards. They were ratified in July 2014.
A practical solution to demonstrate data centre competence in PII processing
The new ISO/EIC 27018 standard is a very practical step to enable cloud providers to start to demonstrate their competence in dealing with personally identifiable information. But the standard is not just attractive to providers for the certification that it offers.
It works well for existing cloud providers, but scales well. It is economically viable, because it supports incremental accreditation and certification. It also allows for continuous improvement. As a result, it can be adopted easily and then continuously adapted and developed. It seems likely to do as desired, and create confidence among both customers and regulators of the cloud industry in cloud processing of personally identifiable information.