Cloud Privacy Beyond Legal Compliance: An NLP analysis of certifiable privacy and security standards

By implementing standards and becoming certified, organizations can demonstrate good practices and trustworthiness. However, privacy standards are relatively immature, and the privacy research community rarely examines the individual controls of organizational standards (e.g., ISO 27017, SOC-2), which are what concretely implements privacy principles. It is also very time-consuming to monitor evolving standards, assess relevance and usefulness in a given context, and whether the effort and expense of becoming certified makes sense. In this paper, we propose an exploratory method leveraging a large language model (LLM) to analyze privacy documents. We created a dataset of controls (n=1,511) from all nine standards identified as certifiable, cloud relevant, and privacy relevant. We fine-tuned BERT, a popular baseline LLM, to optimize performance on privacy standards. Finally, we performed topic modeling to better understand how the standards address privacy challenges and compare to one another. We demonstrate that controls can be grouped into 11 topics (e.g., "PII Management", "Continuous Monitoring and Auditing in Cloud"). Most standards seem to strongly emphasize the security and risk angles of privacy rather than rights and control over data. The results suggest efforts to standardize privacy practices are still nascent - more time, practice, and theoretical agreement is required before privacy standards approach the rigor of their security counterparts. By providing our fine-tuned model, coding pipeline, and method, we demonstrate the utility of this approach to better compare and understand privacy standards and other documentation for assessment and refining.