World’s first global cloud privacy standard adopted by Microsoft

Marking a major cloud milestone, Microsoft has announced that it will adopt the world’s first international standard for cloud privacy – the first major cloud provider to do so.

The standard, known as ISO/IEC 27018, was developed by the International Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal data stored in the cloud.

The British Standards Institute (BSI) has now independently verified that in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud.

Bureau Veritas has also done the same for Microsoft Intune.

The reason that this is such a major cloud milestone is that compliance to the ISO/IEC 27018 standard assures enterprise customers that privacy will be protected in several distinct ways.

The first way in which the standard protects privacy is that Microsoft will only process personally identifiable information according to the instructions that the customer provides them.

Secondly, customers will know exactly what is happening to their data. Adherence to the standard ensures transparency about Microsoft’s policies regarding the return, transfer, and deletion of personal information the customer stores in their data centres.

Adherence to ISO 27018 also provides a number of important security safeguards. It ensures that there are defined restrictions on how Microsoft handles personally identifiable information, including restrictions on its transmission over public networks, storage on transportable media, and proper processes for data recovery and restoration efforts.

The standard also ensures that everyone who processes personally identifiable information, including Microsoft employees, must be subject to a confidentiality obligation.

Compliance to the standard also guarantees that Microsoft will not use any data for advertising without consent, while also informing customers about government access to data.

Writing on the Microsoft blog, Brad Smith, General Counsel & Executive Vice President, Legal and Corporate Affairs, commented: "As we’ve said before, customers will only use services that they trust."

"The validation that we’ve adopted this standard is further evidence of our commitment to protect the privacy of our customers online."