Insurance, Privacy & Data Security News | Nov 2014 | DAC Beachcroft

DAC Beachcroft Adviser Newsletter

November 2014 Cyber Risk legal update

Cloud, Compliance, Cyber Essentials, Big Data & Enforcement

As the days get more and more overcast and the nights draw in, what more fitting than another piece of "cloud" documentation to consider when engaging with a cloud services provider. This autumn has seen the acknowledgment of a plethora of international standards on cloud computing.  
I say acknowledgment rather than launch as many were published back in August. However, there has been little if any fanfare over their launch by the International Standards Organisation and it has only come to the attention of the data protection community in the last few weeks.
ISO/IEC 17788 and 17789 provide standardized definitions of common cloud computing terms, such as Software as a Service, and of cloud deployment models such as "public" and "private" clouds and diagrams and descriptions of how the various aspects of cloud computing relate to one another. Of more interest to the data protection community is the new ISO27018:2014, not so catchily titled: Information technology – Security techniques – Code of the practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
Compliance with this standard should give cloud customers comfort towards ensuring their own compliance with data protection obligations.  For example, the standard imposes the following requirements on the cloud provider:
  • only process personal data in accordance with the customer’s instructions;
  • assist the customer in cases of data subject access requests;
  • notify the customer in the event of data breach;
  • imposing adequate confidentially obligations on individuals accessing the personal data; and flowing down technical and organisation measures to sub-processors.
This standard provides a useful tool for a customer to evaluate the cloud services and data handling practices of a potential cloud supplier and will be a useful reference point to form part of a wider contractual framework to secure personal data. I would recommend clients start asking their cloud providers about their plans for ISO27018 compliance and it may become good industry practice to insist on such compliance going forward.
Follow us on twitter @DACBprivacyFor DAC Beachcroft privacy updates, please follows us at @DACBprivacy
Click any of the links below to read more ...

UK Developments

Click the below headings to read more on each of the developments...

EU Data Protection Regulation Developments

  • Report warns that EU DP rules might be a hindrance in tackling fraud


Updates from around the World...

Key Dates Calendar

1 December 2014

Enforced Subject Access to become a criminal offence

Review of the employment and claims handling policies to ensure compliance

6 December 2014

Consultation for reducing the threshold applicable to fining for nuisance calls closes.

Consider response

9 December 2014

Sign up to our next Minster Court Forum: We've got it covered – what you might have missed in 2014 and what you won't want to miss in 2015.

If you would like to attend please click here to RSVP.  A confirmation email will be sent a week before the event


Adoption of a final text of the Data Protection Regulation.

Watch for updates

For more information on DAC Beachcroft please contact:

DAC Beachcroft Adviser Newsletter

Rhiannon Davies, Associate

+44 (0) 20 7894 6577

[email protected]