Following news that Microsoft has become the first major cloud provider to adopt the world’s first international standard for cloud privacy, what does this mean for New Zealand businesses considering a move to the cloud?
“The standard in question may seem technical,” acknowledges Brad Smith - General Counsel & Executive Vice President, Legal and Corporate Affairs, Microsoft, “but it has important practical benefits for enterprise customers around the world.”
According to Smith, fresh from revealing the news this week, it’s known as ISO/IEC 27018, developed by the International Organisation for Standardisation (ISO) with the aim of formulating a collective international approach to protecting privacy for personal data stored in the cloud.
Furthermore, Smith says the British Standards Institute (BSI) has now independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud.
And similarly, Bureau Veritas has done the same for Microsoft Intune.
Now why does this matter to New Zealand?
“The reasons are multiple,” explains Smith, claiming adherence to ISO 27018 assures enterprise customers that privacy will be protected in several distinct ways.
Smith says Microsoft’s adherence to the standard ensures that the tech giant only process personally identifiable information according to the instructions provided from the customer.
“You also know what’s happening with your data,” Smith adds. “Adherence to the standard ensures transparency about our policies regarding the return, transfer, and deletion of personal information you store in our data centres.”
As a result, the official party line from Redmond is that no matter where your organisation resides in the world, New Zealand included, “we’ll not only let you know where your data is, but if we work with other companies who need to access your data, we’ll let you know who we’re working with.”
In addition, Smith says if there is unauthorised access to personally identifiable information or processing equipment or facilities resulting in the loss, disclosure or alteration of this information, Microsoft now has a duty to inform.
Seen as one of the key barriers in cloud adoption, across New Zealand and the wider markets, Microsoft says its new cloud privacy standard ensured “strong security” protection for organisation’s data.
“Adherence to ISO 27018 provides a number of important security safeguards,” Smith explains.
“It ensures that there are defined restrictions on how we handle personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.