The General Data Protection Regulation (GDPR) is a new European privacy law, due to come into force on May 25, 2018, which protects European Union (EU) citizens' right to privacy. It introduces robust requirements that will raise standards of data protection, security and compliance. The GDPR will replace the current EU Data Protection Directive and aims to harmonize data protection laws across the EU.

Personally identifiable information (PII) is any data that can be used to identify a specific individual. Phone number, email address, passport/ID number and even digital images are included. The GDPR gives people greater control over their PII, while imposing strict obligations on organizations that collect, process or analyse personal data. It also imposes heavy fines for non-compliance and data breaches

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting confidential patient data. Companies that handle protected health information (PHI) must have physical, network and process security measures in place and follow them to ensure HIPAA compliance. Covered entities (anyone who provides treatment, payment and operations in the healthcare field) and business associates (anyone who has access to patient information and provides support in treatment, payment or operations) must comply with HIPAA compliance.

ISO/IEC 27701:2019 is a data privacy extension of ISO 27001. This recently published information security standard provides guidance for organisations looking to implement systems to support compliance with the GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System), describes a framework for Controllers of Personally Identifiable Information (PII) and Processors of PII to manage data privacy.

Article 42 of the GDPR discusses data protection certification mechanisms and data protection seals and marks. No such mechanisms exist yet. However, it is possible to obtain independently accredited certification to ISO 27001 and ISO 27701 by implementing their controls - which will demonstrate to all interested parties that Zadara - and therefore your organisation - is following international best practice when it comes to protecting personal data/PII.
The aim of this standard is to provide organisations with a practical framework with which they can extend their existing ISMS (Information Security Management System) to become a PIMS (Privacy Information Management System).

Defining ISO27018 ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII) in the public cloud computing environment. It takes into account regulatory requirements for the protection of PII that may be applicable in the context of a public cloud service provider's information security risk environment(s).

Defining ISO27017 ISO/IEC 27017:2015 provides guidelines for information security controls applicable to the provision and use of cloud services, providing additional controls with implementation guidance that relate specifically to cloud services.

This International Standard provides controls and implementation guidance for cloud service providers and cloud service customers..

Defining ISO 27001
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for information security management. It is a framework of policies and procedures that includes all the legal, physical and technical controls involved in an organization's information risk management processes.

As a formal specification, ISO 27001 requires specific requirements. Organizations that claim to have adopted ISO 27001 can therefore be formally audited and certified in accordance with the standard.

ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system".

ISO 27001 is the de facto international standard for Information Security Management.

The Service Organization Controls (SOC) are a set of standards designed to measure the ability of a given service organization to control its information in its service environments (for example, the clouds it manages). SOC 1 compliance concerns the internal controls of an advanced IT services organization. A company achieves SOC 1 compliance by having sufficient policies and strategies in place to protect customer data.

About SOC 2
Although many companies understand the benefits of migrating basic functions, such as data storage, to the cloud, some companies are still hesitant due to security concerns. SOC 2 compliance gives companies the confidence and peace of mind of knowing that their data is protected and highly available.

Defining SOC
Service Organization Controls (SOC) are a set of standards designed to measure a given service organization's ability to control its information in its service environments (for example, the clouds it manages). SOC 1 compliance concerns the internal controls of an advanced IT services organization. A company achieves SOC 1 compliance by having sufficient policies and strategies in place to protect customer data.

About SOC 1
The SOC 1 report focuses on a service organization's controls that are relevant to an audit of a service organization's client financial statements. The control objectives relate to the business and information technology processes implemented by Zadara to protect the financial information stored on the Zadara platform. The SOC 1 Type II report includes a description of the controls in the Zadara clouds, as well as an opinion on the operating effectiveness of these controls over a period of time.