In This Article
- ISO 27018 and GDPR are fundamentally different: one is a voluntary technical standard, the other is binding law. They complement each other but serve different purposes.
- ISO 27018 controls map well to GDPR Article 28 processor obligations, covering processing under instructions, confidentiality, security, sub-processors, data subject rights, and audit support.
- ISO 27018 certification demonstrates a structured approach to cloud PII protection that supports GDPR compliance but does not guarantee it.
- GDPR requires additional legal measures beyond ISO 27018: legally binding DPAs, international transfer mechanisms (SCCs), and DPIAs.
- Cloud processors serving EU customers benefit significantly from ISO 27018 as evidence of technical and organisational compliance measures.
Overview: Two Different Frameworks
ISO 27018 and GDPR address overlapping concerns — the protection of personal data — but they are fundamentally different in nature, scope, and enforceability.
| Aspect | ISO 27018 | GDPR |
|---|---|---|
| Nature | Voluntary international standard | Binding EU regulation (law) |
| Scope | PII in public cloud (processor focus) | All personal data processing (controllers + processors) |
| Enforcement | Certification body audit | Data protection authorities (fines up to 4% turnover) |
| Geography | Global (voluntary adoption) | EU/EEA (with extraterritorial reach) |
| Focus | Technical and organisational controls | Legal rights, obligations, and principles |
| Output | Certificate (via ISO 27001) | Legal compliance (no certificate) |
The relationship between ISO 27018 and GDPR is best understood as complementary: ISO 27018 provides the technical and organisational controls that demonstrate how a cloud processor implements its GDPR obligations, while GDPR defines the legal obligations themselves.
ISO 27018 is the "how" for cloud processors; GDPR is the "what" and "why." Together, they provide a comprehensive approach to cloud personal data protection.
GDPR Article 28: Processor Obligations
GDPR Article 28 is the primary article governing data processor obligations. It specifies what controllers must require from processors and what processors must implement. ISO 27018 was designed to address many of these requirements.
Article 28(1): Sufficient Guarantees
Controllers must use processors that provide "sufficient guarantees" of appropriate technical and organisational measures. ISO 27018 certification provides strong evidence of such guarantees through independently audited controls specifically designed for cloud PII processing.
Article 28(3): Contractual Requirements
The DPA between controller and processor must address specific elements. ISO 27018 controls map to most of these:
- (a) Process only on documented instructions: ISO 27018's purpose limitation and processing-under-contract controls directly address this requirement
- (b) Confidentiality obligations: ISO 27018's confidentiality controls require binding obligations for all personnel
- (c) Security measures: ISO 27018 enhances ISO 27002 security controls with PII-specific requirements
- (d) Sub-processor conditions: ISO 27018's sub-processor management controls address prior authorisation, equivalent contracts, and transparency
- (e) Data subject rights assistance: ISO 27018 requires mechanisms to support controllers in fulfilling data subject requests
- (f) Security and breach support: ISO 27018's PII incident response controls support breach notification obligations
- (g) Deletion or return: ISO 27018's PII return, transfer, and disposal controls directly address this
- (h) Audit support: ISO 27018's accountability controls include facilitating controller audits
ISO 27018 to GDPR Mapping Table
The following table provides a detailed mapping of ISO 27018 control areas to specific GDPR articles and requirements.
| ISO 27018 Control Area | GDPR Article | GDPR Requirement | Coverage Level |
|---|---|---|---|
| Processing under contract / Purpose limitation | Art. 28(3)(a), Art. 29 | Process only on documented instructions | Full |
| Prohibition of commercial use | Art. 28(3)(a) | No processing beyond controller instructions | Full |
| Confidentiality obligations | Art. 28(3)(b) | Confidentiality commitments for staff | Full |
| Security controls (ISO 27002 enhanced) | Art. 28(3)(c), Art. 32 | Appropriate technical and organisational measures | Full |
| Sub-processor management | Art. 28(2), 28(4) | Prior authorisation, equivalent contracts | Full |
| Data subject rights assistance | Art. 28(3)(e) | Assist controller with data subject requests | Full |
| PII incident response | Art. 33(2) | Notify controller without undue delay | Full |
| PII return, transfer, disposal | Art. 28(3)(g) | Delete or return all personal data after service ends | Full |
| Audit support | Art. 28(3)(h) | Make information available and allow audits | Full |
| Data location transparency | Art. 44-49 (transfers) | International transfer safeguards | Partial (transparency only; legal mechanism needed) |
| Data minimisation | Art. 5(1)(c) | Data minimisation principle | Full (for processor's own processing) |
| Disclosure notification | Art. 48 | Transfers based on court/authority decisions | Partial (notification process, not legal mechanism) |
Data Processing Agreement Requirements
GDPR Article 28(3) requires that processing by a processor is governed by a contract (the DPA) that sets out specific elements. ISO 27018 controls provide the operational substance behind these contractual commitments.
How ISO 27018 Strengthens DPAs
When a cloud provider holds ISO 27018 certification, the DPA can reference the standard's controls as the technical and organisational measures that fulfill contractual commitments. This provides several advantages:
- Specificity: Rather than vague commitments to "appropriate security measures," the DPA can reference specific ISO 27018 controls
- Independent verification: The controls have been audited by an accredited certification body, not just self-attested
- Ongoing assurance: ISO 27001/27018 certification includes surveillance audits, providing continuous assurance rather than a point-in-time assessment
- Standardisation: Controllers can evaluate processors against a consistent, internationally recognised framework
DPA Elements Supported by ISO 27018
A well-structured DPA for an ISO 27018-certified cloud provider typically includes:
- Subject matter and duration of processing (defined in service agreement)
- Nature and purpose of processing (ISO 27018 purpose limitation controls)
- Categories of data subjects and personal data (PII processing inventory)
- Processor obligations (mapped to specific ISO 27018 controls)
- Security measures (reference to ISO 27001/27018 SoA)
- Sub-processor provisions (ISO 27018 sub-processor management controls)
- Data return/deletion (ISO 27018 PII disposal controls)
- Audit rights (ISO 27018 accountability and audit support controls)
Cross-Border Data Transfers
GDPR Chapter V (Articles 44-49) governs international transfers of personal data. This is an area where ISO 27018 provides partial but significant support.
What ISO 27018 Provides
- Data location transparency: Cloud providers must disclose all countries where PII is stored or processed, giving controllers the information needed to assess transfer risks
- Change notification: Controllers must be notified in advance of changes to processing locations, enabling them to assess new transfer scenarios
- Sub-processor location disclosure: The locations of sub-processors are disclosed, covering the full processing chain
What GDPR Requires Beyond ISO 27018
ISO 27018's location transparency is necessary but not sufficient for GDPR transfer compliance. You still need:
- Legal transfer mechanisms: Standard Contractual Clauses (SCCs), adequacy decisions, or other Article 46 safeguards
- Transfer Impact Assessments (TIAs): Assessments of the data protection landscape in the destination country
- Supplementary measures: Additional technical or contractual measures where the legal mechanism alone is insufficient
ISO 27018 certification can serve as a supplementary measure in Transfer Impact Assessments, demonstrating that the processor has implemented internationally recognised PII protection controls regardless of jurisdiction.
Breach Notification Alignment
GDPR Articles 33 and 34 establish breach notification obligations. ISO 27018 provides the operational framework that enables cloud processors to meet these requirements.
GDPR Breach Notification Requirements for Processors
- Art. 33(2): Processors must notify controllers without undue delay after becoming aware of a personal data breach
- Content: Notification must include nature of breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed
How ISO 27018 Supports This
- PII breach classification: ISO 27018 requires categorising incidents by severity, enabling rapid determination of what constitutes a personal data breach
- Accelerated notification: Dedicated PII incident response timelines ensure controllers are notified promptly
- Notification content: Standardised breach notification templates include the elements required by GDPR Article 33(3)
- Detection capability: Enhanced monitoring and logging for PII systems improve breach detection speed
- Testing: Regular PII breach response exercises ensure the notification process works effectively under pressure
Sub-Processor Management
GDPR Article 28(2) and 28(4) set specific requirements for sub-processor engagement. ISO 27018 provides comprehensive controls for this area.
GDPR Sub-Processor Requirements
- Prior specific or general written authorisation from the controller
- Equivalent contractual obligations imposed on sub-processors
- Notification of intended changes (for general authorisation)
- Processor remains liable for sub-processor compliance
ISO 27018 Sub-Processor Controls
- Sub-processor register: Complete list of all sub-processors with roles, locations, and processing activities
- Prior disclosure: Controllers informed before sub-processor engagement
- Change notification: Advance notice of sub-processor changes with controller objection rights
- Equivalent contracts: Sub-processor agreements include PII protection obligations matching the primary processor's commitments
- Compliance assessment: Regular evaluation of sub-processor PII handling practices
The alignment between ISO 27018 and GDPR on sub-processor management is particularly strong, making it one of the areas where the standard provides the most direct compliance support.
Data Subject Rights Support
GDPR Articles 12-22 establish data subject rights including access, rectification, erasure, restriction, portability, and objection. While controllers are primarily responsible for fulfilling these rights, processors must assist.
GDPR Article 28(3)(e) Requirement
Processors must assist controllers in fulfilling their obligations to respond to data subject requests. This requires technical and organisational capability to locate, retrieve, correct, delete, and export personal data.
ISO 27018 Support for Data Subject Rights
- PII retrieval capability: Technical mechanisms (APIs, admin tools) for controllers to locate and retrieve specific PII
- PII export: Data portability support through export in structured, machine-readable formats
- PII correction: Ability for controllers to rectify inaccurate PII through the service interface
- PII deletion: Capability to permanently delete specific PII records, including from backups (within defined timelines)
- Processing restriction: Mechanisms to restrict processing of specific PII without deletion
- Response timelines: Defined SLAs for assisting controllers that enable compliance with GDPR's one-month response requirement
What GDPR Requires Beyond ISO 27018
While ISO 27018 provides substantial support for GDPR processor compliance, several GDPR requirements are beyond its scope:
Legal Framework
- Valid DPA: GDPR requires a legally binding contract meeting Article 28(3) requirements. ISO 27018 provides the operational substance but the legal document itself must be independently prepared.
- Transfer mechanisms: SCCs, adequacy decisions, or BCRs for international transfers are legal instruments outside ISO 27018's scope
- DPO appointment: GDPR may require a Data Protection Officer; ISO 27018 does not address this
Records and Documentation
- Article 30 records: GDPR requires specific records of processing activities. ISO 27018's PII inventory supports this but may not meet all format requirements.
- DPIA support: Controllers may need processor cooperation for Data Protection Impact Assessments beyond what ISO 27018 specifically addresses
National Implementations
- GDPR allows member states to impose additional requirements in certain areas
- National DPA guidance may specify requirements beyond the standard GDPR text
- ISO 27018 provides a baseline that may need supplementation based on specific jurisdictions
For cloud processors serving EU customers, ISO 27018 certification provides the strongest technical and organisational evidence of GDPR processor compliance. Combine it with proper legal documentation (DPAs, SCCs) and internal GDPR governance (DPO, Article 30 records, DPIA processes) for comprehensive compliance coverage.
Frequently Asked Questions
Does ISO 27018 certification mean GDPR compliance?
No. ISO 27018 supports GDPR compliance for cloud processors by addressing many Article 28 requirements, but GDPR compliance requires additional legal measures including valid Data Processing Agreements, Standard Contractual Clauses for international transfers, and Data Protection Impact Assessments that are beyond the scope of ISO 27018.
How does ISO 27018 address GDPR Article 28 requirements?
ISO 27018 covers most GDPR Article 28 processor obligations through its controls for processing under instructions, confidentiality of personnel, security measures, sub-processor management, data subject rights assistance, PII return/deletion on contract end, and audit support for controllers.
Is ISO 27018 enough for GDPR processor obligations?
ISO 27018 addresses the technical and organisational aspects of GDPR processor obligations comprehensively, but does not cover all legal requirements. You still need legally binding DPAs, appropriate international transfer mechanisms such as Standard Contractual Clauses or adequacy decisions, and compliance with specific national implementations of GDPR.
How does ISO 27018 handle cross-border data transfers?
ISO 27018 requires transparency about data processing locations and advance notification of changes, which supports GDPR transfer compliance. However, it does not provide the legal transfer mechanisms required by GDPR such as Standard Contractual Clauses or adequacy decisions. These must be implemented separately through legal agreements.
Should cloud processors pursue ISO 27018 or ISO 27701 for GDPR?
ISO 27018 specifically targets cloud PII processors and maps well to GDPR Article 28 requirements. ISO 27701 provides broader privacy management coverage including controller obligations. For cloud processors focused on demonstrating GDPR compliance, ISO 27018 is more targeted. For organisations needing comprehensive privacy management, ISO 27701 is more suitable. Many cloud providers pursue both for complete coverage.