ISO 27018 Cloud Privacy Assessment

Evaluate cloud privacy controls per ISO/IEC 27018:2019 for protection of Personally Identifiable Information (PII) in public cloud environments, complementing GDPR and HIPAA requirements

TechnologyHealthcareBiotechFinanceAll20 minutes20 questions

1. Consent & Transparency

Do you obtain explicit consent before processing PII in the cloud?*

ISO 27018 Clause 5: Informed consent for PII collection and processing

Are data processing purposes clearly documented and limited to stated purposes?*

Purpose limitation: Process PII only for specified, legitimate purposes

Do you provide transparency about data location and cross-border transfers?*

ISO 27018: Inform customers where PII is stored and processed geographically

Are privacy policies and data processing agreements publicly available?*

Transparency: Clear communication of privacy practices to data subjects

2. PII Processing Controls

Is PII collected limited to what is necessary for the stated purpose (data minimization)?*

GDPR Article 5(1)(c): Adequate, relevant, and limited to what is necessary

Are retention periods defined and enforced for all PII categories?*

ISO 27018 & GDPR: Retain PII only as long as necessary

Do you anonymize or pseudonymize PII where possible to reduce risk?*

GDPR Article 25: Privacy by design - anonymization/pseudonymization

Are audit logs maintained for all PII access and modifications?*

Accountability: Track who accessed, modified, or deleted PII

3. Data Subject Rights

Do you provide mechanisms for data subjects to access their PII?*

GDPR Article 15: Right of access to personal data

Can data subjects request correction or rectification of inaccurate PII?*

GDPR Article 16: Right to rectification of inaccurate personal data

Do you honor data subject requests for deletion (right to be forgotten)?*

GDPR Article 17: Right to erasure within 30 days (with legal exceptions)

Can data subjects export their data in a portable format (data portability)?*

GDPR Article 20: Right to receive PII in machine-readable format

4. Security & Encryption

Is PII encrypted at rest using AES-256 or equivalent?*

ISO 27018: Strong encryption protects PII from unauthorized access

Is PII encrypted in transit using TLS 1.2+ for all communications?*

Protect PII during transmission between clients, cloud, and services

Are encryption keys managed securely with access controls and rotation?*

Key management: Separate keys from data, rotate regularly, limit access

5. Subprocessor Management

Do you maintain a list of subprocessors (vendors) that process PII?*

ISO 27018 & GDPR Article 28: Transparency about downstream processors

Are data processing agreements (DPAs) in place with all subprocessors?*

GDPR Article 28(3): Bind subprocessors to same obligations as processor

Do you notify customers before adding new subprocessors?*

GDPR Article 28(2): Prior notification or opportunity to object

6. Breach Notification & Accountability

Do you have procedures to detect and respond to PII breaches within 72 hours?*

GDPR Article 33: Notify supervisory authority within 72 hours of awareness

Are customers (data controllers) notified of PII breaches without undue delay?*

GDPR Article 33(2): Processor must inform controller immediately

Please answer all required questions to see your results