Definition: ISO 27018:2019
Protection of Personally Identifiable Information (PII)
What is ISO 27018:2019?
ISO 27018:2019 is an international code of practice developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that provides specific guidelines for protecting Personally Identifiable Information (PII) in public cloud environments where cloud service providers act as PII processors.
For Digital Asset Management (DAM) platforms operating in the cloud, ISO 27018:2019 establishes controls and practices for handling PII that may be associated with digital assets - such as user information, contributor data, and metadata containing personal details. The standard builds upon ISO 27002 by providing cloud-specific implementation guidance tailored to the unique privacy challenges of public cloud computing.
ISO 27018:2019 focuses on key privacy principles including:
- Transparency - Clear disclosure of how PII is collected, used, and processed
- Consent - Appropriate mechanisms for obtaining and managing user consent
- Purpose Limitation - Using PII only for specified, legitimate purposes
- Data Security - Implementing technical and organizational measures to protect PII
- Accountability - Clearly defining roles and responsibilities for PII protection
- Deletion and Return - Proper procedures for returning or deleting PII when no longer needed
The standard aligns with major privacy regulations including GDPR, CCPA, and other regional data protection laws, making it particularly valuable for organizations operating across multiple jurisdictions.
What are the benefits of working with an ISO 27018:2019–compliant DAM provider?
A DAM provider that has achieved ISO 27018:2019 compliance demonstrates a commitment to privacy protection and responsible data handling by ensuring it:
- Implements cloud-specific controls for protecting personal information
- Provides transparency about how personal data is processed and protected
- Maintains clear contractual agreements regarding PII handling responsibilities
- Respects data subject rights including access, correction, and deletion
- Prevents unauthorized use or disclosure of customer PII
- Supports compliance with global privacy regulations (GDPR, CCPA, etc.)
- Enables auditable data handling practices and accountability
- Builds trust with customers managing content containing personal information
Why is ISO 27018:2019 important for DAM customers?
DAM platforms often process personal information associated with digital assets, including user profiles, contributor details, photo metadata, and collaboration data. ISO 27018:2019 provides assurance that a cloud-based DAM provider has implemented specific privacy controls beyond general information security practices.
This is especially critical for organizations subject to strict privacy regulations, those managing user-generated content, or companies that need to demonstrate privacy-by-design principles to customers, partners, and regulatory authorities.
Is Bynder ISO 27018:2019-certified?
Yes, Bynder has successfully achieved ISO 27018:2019 compliance through independent assessment. This demonstrates that Bynder's cloud-based DAM platform implements appropriate controls and practices specifically designed to protect personally identifiable information processed on behalf of customers.
When selecting a DAM provider, we recommend choosing organizations that demonstrate compliance with complementary security and continuity frameworks, including:
- ISO 27001 - Information Security Management
- ISO 27018 - Protection of Personally Identifiable Information (PII)
- ISO 22301 - Business Continuity Management
- SOC 2 Type II - Proven operational effectiveness of DAM security controls
Together, these standards reflect a strong, continuous commitment to security, privacy, and reliability. More information about Bynder's certifications and compliance programs can be found on our Security page or our trust portal.
