Sarah Broughton

Protecting PII (Personally Identifiable Information) is a challenge for individuals and businesses alike.  In their latest post, OCSL’s Compliance Team walk us through OCSL’s most recent accreditation, ISO27018:2014.  It is designed to protect Personally Identifiable Information in the Cloud. Specifically, it places a central requirement on certified cloud service providers to address public cloud PII protection requirements for the data in which they have been entrusted.

Gartner predict by 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.  (Gartner: Top 10 Security Predictions 2016)

Sarah Broughton Compliance Team Leader Make contact

Q: Just to clarify, what do you mean by PII?

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.  

Here’s the current legal definition from the Data Protection Act 1998:

“Personal data” means data which relate to a living individual who can be identified— 
(a) from those data


b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”

It’s worth noting, under the GDPR (Law as of 25/05/2018) the concept of personal data includes online identifiers and location data, and one or more factors specific to the individual including, but not limited to, their genetic, biometric, cultural or economic identity.

Q: So, what is ISO27018:2014 and why is it important?

ISO27018:2014 is an internationally-recognised code of practice for protection of personally identifiable information (PII) in public clouds.  OCSL were certified as being compliant to the controls of the ISO27018:2014 Code of Practice in May 2017 by a UKAS-accredited audit body. 

It applies supplementary controls and guidance to the requirements of ISO27002 (the technical guidance for ISO27001).  ISO/IEC 27018 has been published to enable certified cloud service providers to demonstrate that they are conforming to industry best practice when processing PII under contract, safeguarding entrusted data and only processing it for the purposes for which the cloud service customer has given consent.

Q: What does this mean in practice?

With GDPR looming in 2018, the need to protect personal data is only going to get higher on the CIO agenda. And as we recently saw, Cyber Attacks are now a Stark Reality.  

So, for anyone in charge of managing data, this new certification delivers greater peace of mind.  Working with a managed service provider with this accreditation means risks have been identified and controls are in place to manage or reduce them.

Internationally, this new standard provides common guidelines across different countries, making it easier to do business globally. It has the potential to become a new global point of reference for assessing compliance of cloud services with data protection requirements. 

Best-practice accreditation combined with a Security Risk Assessment can significantly reduce the risk of breaches associated with personal information. 

For any organisation considering a move to the Cloud, I would certainly put an ISO27018:2014 cloud certification high on my checklist when selecting a managed services provider.

More about ISO Accreditation

At OCSL, we chose to implement ISO27001 over 7 years ago, shortly followed by ISO9001; in 2015 we achieved ISO20000, which is ITIL (Information Technology Infrastructure Library) aligned.  ISO27018 was added in 2017 to further complement our existing suite of compliance offerings See the team’s previous post on: “Everything you wanted to know about IT compliance but were afraid to ask.

If you have any queries around the PII, compliance, compliance risk assessment or any of the details mentioned in this post, please get in touch.


Thought piece