Cloud and POPI have become a part of the business language used in South Africa, and if it isn’t a part of your business vocabulary, it might be time to become fluent in it. Failure to do so can result in hefty fines, even jail time.
Data security is at the core of the POPI (Protection of Personal Information) Act. The Act ensures that companies act responsibly when collecting, processing, storing and sharing the personal information of individuals, or other companies. If this personal information is compromised, the company is held accountable.
So if your business isn’t keeping data secure in the cloud then you are not POPI compliant.
Before finding out how to keep your data secure, for how long, and how to destroy it effectively to be POPI compliant, here is a quick recap on the POPI act.
All about the POPI Act
The POPI Act is a piece of legislation that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the Act.
The Act provides 8 conditions under which Personal Information may legally be gathered and processed.
- AccountabilityThe responsible party must ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing.
- Processing Limitation
Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
- Purpose Specific
Personal information may only be processed for specific, explicitly defined and legitimate reasons.
- Further Processing Limitation
Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
- Information Quality
The responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
- Security Safeguards
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction and disclosure.
- Data Subject Participation
Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.
To secure information, companies need to understand what information is gathered and kept, and then take steps to protect the information.
How does this translate if you are running your business in the cloud, or providing cloud services?
Protecting customer data in the cloud
Cloud services are seriously impacted by the POPI Act. As large volumes of personal information are stored in the cloud, it is crucial that this data is protected and kept in a safe cloud environment.
Cloud providers have to put in place appropriate controls to ensure a reliable and secure cloud service for its users.
Not complying with the POPI Act could result in a R10 million fine or 10 years in jail.
Appropriate measures to keep personal information secure in the cloud
If you are a Cloud provider you need to put in place and maintain measures to keep personal information secure, and protect it against unauthorised or unlawful processing and accidental loss, destruction or damage.
- have to be fully transparent about their processing of personal information
- must annually verify that the technical and organisational measures implemented and maintained are effective in safeguarding their data subjects’ rights
- implement and maintain the measures necessary to comply with the conditions for the lawful processing of personal information
Data subjects are entitled to know the precise physical location of their personal information, the specific devices where the personal data physically exists, including temporary storage, which has accessed their data, for what purpose and what safeguards are in place to protect the data subject’s rights.
A disposal programme needs to implemented and then rigidly followed. It is highly risky under POPIA to keep records and not destroy them when their purpose is finished.
A key element of disposal is ensuring that duplicates, in both paper and electronic formats, are also destroyed.
Symbiotics understands the importance of complying with the POPI Act
Symbiotics hosts applications in a secure and reliable environment and provides ongoing support so that clients continue to have peace of mind. Symbiotics takes care of the system security, server updates, backups and other system administration functions while clients focus their business.
Cloud and POPI working together
Cloud service providers must comply with the POPI Act. The POPI Act ensures that the right to privacy is taken seriously and includes a data subject’s right to be protected against any unlawful collection, retention, dissemination and use of their personal information.
It is vital that Cloud provides implement sufficient data security measures to protect their clients’ information, and ensure they capture only what is required.
Download the POPI Act here: Act No. 4 of 2013 : Protection of Personal Information Act, 2013
Images from Unsplash.com