Know your PII
It's 3AM; do you know where your personally identifiable information (PII) is?
Before you can answer that question, you need to define just what PII is, as far as your business is concerned.
Generally speaking, PII is any information that is traceable to an individual. In the ISO 27018 standard, ISO describes PII as "any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal."
Most often, that is a person's name and another piece of personal information, such as an address or a social security number. However, it could also be a physical characteristic, such as a person's voice, facial image or video of a telltale motion, such as a person's gait. Further, sophisticated algorithms are increasingly capable of tying ever smaller bits of information to a particular individual.
For the purposes of contractual obligations, it's up to a customer to say what PII is.
As the ISO document explains, "A public cloud PII processor is typically not in a position to know explicitly whether information it processes falls into any specified category unless this is made transparent by the cloud service customer."
Translation: As a cloud customer, you must know what you consider to be PII and you must inform the cloud provider.
Once you've done that, the certified cloud provider then must handle that information in accordance with ISO 27018 guidelines.