While Covid-19 has seen organisations shift to cloud platforms almost overnight to help them remain operational while their workforces are operating remotely, too many are not up to speed with what this means in terms of their data. This is particularly true now that the Protection of Personal Information (POPI) Act has come into play.
Cloud providers and the POPI Act
Even though cloud providers and third parties (such as managed service providers) are obligated to protect any personal data they handle, process or store, when it comes to ensuring the safety of their information, the onus is on the organisation that contracted them.
Primarily, cloud providers need to ensure that data is stored within South Africa’s borders. In fact, should any data be stored outside the country, they should seek legal advice and get full consent from the data owners to make sure that any affected customers are aware of this.
In addition, anyone who is storing data outside South Africa should make sure it is being stored in a territory that has either similar or stronger regulation in place than the POPIA. The data responsibility ultimately lies with the customer to make sure their data is safe and secure. They need to understand where their data is being stored and if they haven’t been contacted by their cloud provider yet, they should take the initiative and contact them.
As with any other business, cloud providers themselves need to comply with the POPIA. They need to understand their processes, such as how they are storing data, and ensure they are not processing any data that they shouldn’t. They can prepare themselves and their customers by fully understanding the requirements of the Act in terms of what is required from them, as well as what their customers need to do.
Any cloud providers that are hosting data need to ensure that the data is being stored securely, and that it can’t easily be breached by an attacker.
Referring to sections 21(1) and (2) of the Act, it specifies: “A responsible party must, in terms of a written contract between the responsible party and the operator, ensure the operator, which processes personal information for the responsible party, establishes and maintains the security measures referred to in Section 19. The operator must notify the responsible party immediately where there are reasonable grounds to believe the personal information of a data subject has been accessed or acquired by any unauthorised person.”
Keep in mind that cloud providers need to ensure there is clarity in terms of what is expected from each party. By being prepared, they can help customers prepare. Ultimately, data protection in the cloud is a two-way street. The cloud provider is responsible for making sure data is stored correctly, that only the authorised people have access to it, that data is fully backed up, and that service is uninterruptible.
The duty of the customer
The customer must ensure that their networks are secure, and that all devices that are used to access their information are secure too. It is a shared responsibility model. Cloud providers should have informed their customers by now that POPIA is in effect, but at the end of the day, it is up to the customer to ensure that their own processes are POPIA compliant.
Cloud providers need to stay up to date with what the Information Regulator has to say and keep a close eye out for any updates. As the POPIA process is refined, there are bound to be announcements and amendments that will ultimately affect every organisation. Check the Regulator’s website daily, follow any directives that are issued, and make the changes at once.
This will not only help cloud providers protect their customers; it will also help to shield the provider from any reputational damage that might result from a possible leakage of data. It is a common misconception among South African organisations when outsourcing to a third-party provider: that any risk relating to a data breach transfers to that service provider, but this isn’t the case. The POPI Act stipulates that the main responsibility of data protection lies with the company itself.