Helping to strengthen privacy and compliance protections for its customers in the cloud, the global Information technology ecosystem has recorded a major milestone as Microsoft has become the first major cloud provider to adopt the world’s first international standard for cloud privacy.
The new development ensures that enterprise customers can move with confidence to the Microsoft Cloud.
According to Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft, the announcement follows verification by independent auditors that Microsoft Azure, Office 365, Dynamics CRM Online, and Intune are aligned with ISO/IEC 27018, a standard which was developed by the International Organization for Standardization (ISO) to provide a uniform, international approach to protecting Personally Identifiable Information (PII) in the public cloud.
“All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations.
“We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors.
“Today’s news is just one way we’ve been working to help strengthen privacy and compliance protections for our customers in the cloud. Last spring, we received confirmation from European data protection authorities that Microsoft’s enterprise cloud contracts are in line with “model clauses” under EU privacy law regarding the international transfer of data.
“ And last fall, Microsoft became one of the first companies to sign the Student Privacy Pledge developed by the Future of Privacy Forum and the Software & Information Industry Association to establish a common set of principles to protect the privacy of student information.
As we’ve said before, customers will only use services that they trust.
“The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online”, he explained.
Although the standard may seem technical, he explained that it has important practical benefits for enterprise customers around the world.
Known as ISO/IEC 27018, he said that it was developed by the ISO to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.
According to Smith, the British Standards Institute (BSI) has now independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. And similarly, Bureau Veritas has done the same for Microsoft Intune.
Explaining the reasons why it should be adopted, he said that adherence to ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways:
Control of your data
“Our adherence to the standard ensures that we only process personally identifiable information according to the instructions that you provide to us as our customer”, he said.
Knowledge of your data:
Adherence to the standard he said ensures transparency about their policies regarding the return, transfer, and deletion of personal information you store in our data centers.
“ We’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with.
“ In addition, if there is unauthorized access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, we’ll let you know about this”, he explained.
Security for data:
Adherence to ISO 27018, he said provides a number of important security safeguards. It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.
Similarly, he added that the standard ensures that all of the people, including our own employees, who process personally identifiable information must be subject to a confidentiality obligation.
Data for advertising:
The adoption of the standard, he further explained would ensure that customers data are not used for advertising without consent.
he adoption of this standard, he said reaffirms our long-standing commitment not to use enterprise customer data for advertising purposes.
Information about government access to data:
According to Smith, the standard requires that law enforcement requests for disclosure of personally identifiable data must be disclosed to you as an enterprise customer, unless this disclosure is prohibited by law.
“We’ve already adhered to this approach (and more), and adoption of the standard reinforces this commitment”, he said.