Module 64: Privacy Standards (GDPR, ISO 27018)

CCSP Domain 6 — Legal, Risk & Compliance Section A 6 min read

The CCSP exam tests privacy standards as frameworks for making decisions, not as regulations to memorize. When the exam references GDPR or ISO 27018, it is asking how these standards guide cloud privacy architecture and vendor evaluation.

GDPR — Exam-Relevant Provisions

The General Data Protection Regulation dominates CCSP privacy questions. The exam does not test every GDPR article — it tests the provisions that directly affect cloud computing decisions.

Territorial Scope (Article 3)

GDPR applies to organizations processing EU residents' data regardless of where the organization is located. The exam tests this repeatedly: a US company using a US cloud provider to process EU customer data must comply with GDPR.

Lawful Basis for Processing (Article 6)

Processing personal data requires a lawful basis: consent, contract performance, legal obligation, vital interest, public task, or legitimate interest. The exam tests whether you identify the appropriate basis for cloud processing scenarios. Moving data to the cloud does not create a new lawful basis — the original basis must cover cloud processing.

Data Processor Requirements (Article 28)

When using a cloud processor, the controller must have a written contract specifying processing instructions, confidentiality obligations, security requirements, subprocessor restrictions, and data deletion after processing ends. The exam tests whether cloud contracts meet Article 28 requirements.

Breach Notification (Articles 33-34)

Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Data subjects must be notified without undue delay if the breach poses high risk. The exam tests the timeline and obligations, and whether CSP contracts include breach notification commitments that enable the customer to meet their 72-hour obligation.

Exam trap: The 72-hour notification clock starts when the controller becomes aware of the breach, not when it occurred. If the CSP delays notifying the customer of a breach, the customer's notification obligation is still measured from when they become aware — making CSP notification timelines critical.

International Transfers (Chapter V)

Transferring personal data outside the EU requires adequacy decisions, SCCs, BCRs, or other approved mechanisms. The exam tests these transfer mechanisms as covered in Module 61.

ISO/IEC 27018 — Cloud Privacy

ISO 27018 provides guidelines for protecting personally identifiable information (PII) in public cloud environments. It extends ISO 27002 with cloud-specific privacy controls. The exam tests ISO 27018 as a standard for evaluating cloud provider privacy practices.

Key ISO 27018 Controls

Consent and choice: PII must be processed only with the customer's consent and for agreed purposes. The cloud provider must not use customer data for marketing or their own purposes.
Purpose legitimacy: Processing must be limited to the purposes specified in the contract.
Data minimization: Cloud providers should minimize temporary files and ensure they do not retain data beyond the agreed period.
Disclosure notification: Providers must notify customers of any legally required disclosure of PII (such as law enforcement requests), unless prohibited.
Subcontractor management: Providers must disclose subcontractors who process PII and ensure they meet equivalent protection standards.

ISO/IEC 27701 — Privacy Information Management

ISO 27701 extends ISO 27001 with a privacy information management system (PIMS). The exam may reference ISO 27701 as the certifiable standard for demonstrating privacy management maturity. It helps organizations demonstrate GDPR compliance through a structured management system approach.

Other Privacy Standards and Frameworks

AICPA Privacy (SOC 2): The privacy trust services criteria in SOC 2 reports address how organizations collect, use, retain, disclose, and dispose of personal information. The exam tests SOC 2 privacy reports as a cloud provider evaluation tool.
APEC CBPR: The Asia-Pacific cross-border privacy rules system facilitates data transfers across APEC economies. The exam may reference this as an alternative to EU transfer mechanisms for Asia-Pacific operations.
CSA Code of Conduct for GDPR: The Cloud Security Alliance provides cloud-specific guidance for GDPR compliance. The exam may reference this as supplementary to ISO standards.

Applying Standards for Cloud Provider Evaluation

The exam expects you to use privacy standards as evaluation criteria when selecting cloud providers. A provider with ISO 27018 certification demonstrates cloud-specific privacy practices. A provider with SOC 2 privacy reports provides audited evidence of privacy controls. The exam tests whether you combine multiple standards for comprehensive privacy assurance.

Common Exam Traps

GDPR as technical standard: GDPR is a regulation, not a technical standard. It defines obligations, not implementation details.
ISO 27018 as regulation: ISO 27018 is a voluntary standard. It provides guidance but does not carry legal force.
Single standard sufficiency: No single standard covers all privacy requirements. The exam expects layered assurance from multiple frameworks.
Certification equals compliance: Having ISO 27018 certification does not automatically mean GDPR compliance. Certification demonstrates controls; compliance requires ongoing legal analysis.

Key Takeaways for the Exam

GDPR's extraterritorial scope, processor requirements, and breach notification timelines are heavily tested. ISO 27018 provides cloud-specific privacy controls for provider evaluation. ISO 27701 extends ISO 27001 with privacy management. SOC 2 privacy criteria provide audited assurance. Multiple standards provide layered privacy assurance. Standards are tools for evaluation and implementation, not substitutes for legal compliance.