POPI and the Cloud – What you need to know
With the introduction of the Protection of Personal Information (POPI) act, big organisations and small businesses alike need to ensure that their systems are compliant with the new legislation.
The Protection of Personal Information (POPI) Act No.4 of 2013 states:
A Responsible Party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign county.
How does this affect cloud computing?
Some cloud providers use overseas data centres for their data storage. As a result they cannot guarantee the level of software and hardware security that is implemented at a data centre that is in a different geographical location, and this is where things can get complicated under the POPI regulation.
According to POPI, companies need to obtain consent to store personal information outside of South Africa. This consent needs to be given at the time the data is gathered. This means that you need to know where your data is stored at all times in order to obtain the right type of consent when gathering data.
One way to minimise the paperwork and the possibility of being fined for non-compliance is to use a cloud provider that makes use of data storage facilities within the borders of South Africa.
RSAWEB is one of these providers, and you can sleep easy with the knowledge that your data is safe and secure on home soil when using any of our Cloud products or Enterprise Cloud (Virtual Data Centre).
Who is responsible for the compliance?
In order to understand the roles of the client and the cloud providers you need to understand the difference between a Responsible Party and an Operator as set out by POPI.
A Responsible Party means a public or private body or any other person, which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In this case the client.
An Operator means a person or company who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party. In this case the cloud provider.
According to POPI the responsibility lies with the client (the Responsible Party) to secure the integrity and confidentiality of personal information, while the cloud provider (the Operator) processes the information on behalf of the Responsible Party who has given the authorisation to do so.
For more information on becoming POPI Compliant click here.
For information on any of RSAWEB’s Cloud Servers or Enterprise Cloud (VDC) products you can contact us on:
087 470 0000 or [email protected]