February 19, 2015
Today marks a significant milestone as Microsoft becomes the first major cloud service provider to adopt the world’s first international standard for cloud privacy. This is another reason why customers can confidently move to the Microsoft Cloud.
The standard in question might seem technical but it has important practical benefits for business customers around the world. It is known as ISO / IEC 27018, and was developed by the International Organization for Standardization (ISO) to establish an international and uniform approach to protect the privacy of personal data stored in the cloud.
The British Standards Institute (BSI) has independently verified that together with Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard code of practice for the protection of Personal Information from Identification (PII) in the public cloud. And similarly, Bureau Veritas has done the same for Microsoft Intune.
Why is this important?
There are multiple reasons. Adhering to ISO 27018 assures business customers that privacy will be protected in a number of ways:
- You are in control of your data. Our adherence to the standard ensures that we will only process personal data in accordance with the instructions that you provide us as our clients.
- You know what happens to your data. Adherence to the standard ensures transparency about our policies regarding the return, transfer and deletion of personal information that you store in our data centers. We will not only let you know where your data is, but also, if we work with other companies that need to access your data, we will let them know who we are working with. In addition to this, we will inform you if there is unauthorized access to the processing equipment, or to the facilities that results in the loss, disclosure or alteration of personal data.
- We provide strong security protection for your data. Adherence to ISO 27018 provides an important number of security safeguards. It ensures that there are defined restrictions on how we handle personal data, including restrictions on its transmission over public networks, storage on portable media, and appropriate processes for data recovery and restoration efforts. In addition to this, the standard ensures that all people, including our own employees who process personal data, are bound by an obligation of confidentiality.
- Your data will not be used for advertising. Increasingly, business customers have been expressing concerns about the use of their data without their consent, for advertising purposes, by cloud service providers. Adoption of this standard reaffirms our longstanding commitment not to use business customer data for advertising purposes.
- We inform them about access to their data by the government. The standard requires that requests by government or judicial authorities to disclose personal data be disclosed to you as business customers, unless such disclosure is prohibited by law. We have already embraced this approach (and many more), and the adoption of the standard reinforces this commitment.
All of these commitments are even more important in today’s legal environment, where business clients have their own regulatory compliance obligations related to the protection of personal data. We are optimistic that the ISO 27018 standard can serve as a platform for both regulators and clients in their quest to ensure strong privacy protection in different geographies and different industry sectors.
This news is just another way we’ve been working to help strengthen privacy protections and regulatory compliance for our cloud customers. In the spring of last year, we received a confirmation from the data protection authorities in Europe that Microsoft’s enterprise cloud contracts are in line with the “model clauses” under the data protection laws of the Union. European regarding international data transfer. On the other hand, at the end of 2014, Microsoft became one of the first companies to sign the Student Privacy Pledge, developed by the Future of Privacy Forum and the Software & Information Industry Association to establish a common set of principles to protect student privacy and information.
As we have stated before, clients will only use the services they trust. The validation that we have adopted this standard is further evidence of our commitment to protect the privacy of our customers online.
By: Brad Smith, General Counsel and Executive Vice President of Legal and Corporate Affairs, Microsoft.
[+] Videos de nuestro canal de YouTube