Datonomy’s correspondents in Asia take an in-depth look at the new ISO 27018 and evaluate how it can help cloud customers meet the requirements of Singapore’s new Personal Data Protection Act. Back in September I blogged on the then newly-published ISO 27018, the first global security standard specifically applying to cloud services. In this recent post my colleague Daniel Jung and I take an in-depth look at how the new ISO measures up to Singapore’s new PDPA. The article will also be of wider interest to cloud customers and cloud providers as it considers the various ways a cloud provider can demonstrate compliance with the new standard. To read the post, please visit Datonomy’s sister blog Watching The Connectives at this link.
In August this year (to not a great deal of fanfare), ISO published a new security standard for cloud services: ISO/IEC 27018 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (“ISO 27018”). Datonomy reported in May this year, that this new standard was on its way. This publication is a welcome step towards ensuring compliance with the principles of privacy laws and further boosting customer confidence in in cloud computing technologies. Here are Datonomy’s questions and answers on this new security standard. What’s the aim of ISO 27018? The standard’s aim is to create a common set of security controls that can be implemented by a public cloud computing service provider that is processing personal data on behalf of another party. How is ISO 27018 structured? The standard is based on (and follows a similar … Continue Reading ››
Yesterday (12/12/2013), a serious blow was dealt to one of the fundamental building blocks establishing the legal framework for retention of data for law enforcement across Europe. Advocate General Pedro Cruz Villalón (AG) at the Court of Justice of the European Union (ECJ) delivered an opinion stating that the Data Retention Directive (DRD) is, as a whole, incompatible with the individual’s right to privacy in the Charter of Fundamental Rights of the European Union. The opinion has potentially profound implications for law enforcement agencies and for service providers subject to the retention requirements across Europe. The opinion is here. Background The DRD requires Member States to implement laws requiring telephone or electronic communications service providers to collect and retain traffic data, location data and the related data necessary to identify the subscriber or user of the services “in order to ensure that the data is available for the purposes of the investigation, … Continue Reading ››