At the beginning of July, the Protection of Personal Information Act (POPIA) came into full effect.
For everyday South Africans it has likely meant unsubscribing from newsletters or services you forgot about or simply never know you signed up for in the first place, but what does it mean for cloud providers in South Africa?
This is precisely what Stuart Oberholzer, Information Security Compliance manager at PaySpace, has unpacked, looking at the role and responsibility of cloud providers in regard to complying with POPIA.
As Oberholzer explains, while cloud providers and third parties such as managed service providers are obligated to protect any personal data they handle, process or store, when it comes to ensuring the safety of their information, the onus is on the organisation that contracted them.
Where the buck stops
“Primarily, cloud providers need to ensure that data is stored within South Africa’s borders. In fact, should any data be stored outside the country, they should seek legal advice, and also get full consent from the data owners to make sure that any affected customers are aware of this,” he highlights.
“In terms of data responsibility, it ultimately lies with the customer to make sure their data is safe and secure. They need to understand where their data is being stored and if they haven’t been contacted by their cloud provider yet, they should take the initiative and contact them,” he adds.
For those cloud providers still grappling with the intricacies of POPIA, Oberholzer advises taking the same approach to it, that any other business operating in SA and working with data would.
To that end, “They can prepare themselves and their customers by fully understanding the requirements of the Act, in terms of what is required from them, as well as what their customers need to do,” the compliance manager says.
On top of this, any cloud providers that are hosting data need to ensure that the data is being stored securely, and that it can’t easily be breached by an attacker.
Here Oberholzer refers to sections 21(1) and (2) of the Act.
“A responsible party must, in terms of a written contract between the responsible party and the operator, ensure the operator, which processes personal information for the responsible party, establishes and maintains the security measures referred to in Section 19. The operator must notify the responsible party immediately where there are reasonable grounds to believe the personal information of a data subject has been accessed or acquired by any unauthorised person,” he cites.
A collaborative effort
“By being prepared, they can help customers prepare. Ultimately, data protection in the cloud is a two-way street. The cloud provider is responsible for making sure data is stored correctly, that only the authorised people have access to it, that data is fully backed up, and that service is uninterruptible,” Oberholzer adds.
As more insight into POPIA is developed with each passing day, Oberholzer says a collaborative effort between customer and cloud provider is needed to ensure that compliance across the board is achieved.
“Ultimately, it is a shared responsibility model. Cloud providers must inform their customers that POPIA is happening, but at the end of the day, it is up to the customer to ensure that their own processes are POPI compliant,” he says.
“As the POPIA process is refined, there are bound to be announcements and amendments that will ultimately affect every organisation. Check the (Information) Regulator’s website daily, follow any directives that are issued, and make the changes at once,” Oberholzer concludes.