ISO 27018 (Protection of PII in Public Clouds)

ISO/IEC 27018:2019, "Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors," supplements ISO 27002 and ISO 27027 with PII-specific controls for cloud service providers acting as data processors. It is directly referenced by GDPR Article 28 as a mechanism to demonstrate processor compliance, and by multiple national data protection authorities as evidence of adequate technical and organizational measures. ISO 27018 introduces a set of extended controls — Annex A of the standard — organized around: consent and choice (A.1), purpose legitimacy and specification (A.2), collection limitation (A.3), use, retention, and disclosure limitation (A.4), openness, transparency, and notice (A.5), individual participation and access (A.6), accountability (A.7), information security (A.8), PII breach notification (A.9), anonymization and deletion (A.10), and temporary files (A.11).

Control A.9 — PII breach notification — requires cloud service providers to notify PII principals or controllers "without undue delay" of any breach that may adversely affect PII, and to provide sufficient information for the controller to notify the supervisory authority. This creates a cascading notification obligation: the CSP must have breach detection, assessment, and notification pipelines capable of meeting GDPR's 72-hour supervisory authority window, because the controller's clock starts when they become aware — and a CSP that delays notification effectively consumes the controller's notification window. Control A.10 requires secure deletion of PII within a defined and agreed retention period, with a default of deletion upon contract termination, and requires that CSPs provide evidence of deletion — a requirement for deletion certificates or verifiable audit logs of data destruction.

ISO 27018 control A.1 addresses consent specifically in the cloud context: CSPs must not use PII for direct marketing, advertising, or profiling without the PII principal's specific consent — consent obtained through the controller's terms of service does not constitute the CSP's own consent basis. This control directly prohibits the use of customer data to train AI models, improve CSP-proprietary services, or build advertising profiles without explicit authorization. Control A.8.1 requires that if PII is transferred to a sub-processor, the CSP must maintain a list of sub-processors and notify the controller of any sub-processor changes with sufficient notice to allow the controller to exercise an objection right before the sub-processor commences processing — the GDPR Article 28(2) equivalent operationalized as a technical and contractual obligation.

We assess cloud vendor ISO 27018 certifications as part of vendor due diligence, verifying that breach notification, deletion certificate, and sub-processor change notification obligations are contractually bound to timelines compatible with our clients' GDPR Article 33 windows. Our data processing agreements with cloud vendors include ISO 27018 Annex A controls as contractual schedule requirements with audit rights.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.