Exco Risk Technology

Cloud Computing and PPI: Finding your bearing

getting your PPI bearings
Cloud computing is revolutionising the way IT services and resources are delivered, offering access to information anytime, anywhere and on any device. More and more organisations evaluate cloud-based solutions first before making any IT investments, as cloud computing provides flexible and cost effective resources to support business growth; enhances collaboration and deepens customer relationships at much lower cost; and accelerates IT innovation by reducing research and product development cycles. Even though the cloud market is growing at an exponential speed, the full business potential of cloud is yet to be realised and even to be understood by executives.

Cloud adoption in South Africa is still very reactive due to a number of reasons. The main reasons include large investments made in legacy systems; inadequate cloud understanding; the fear of losing control; regulatory and compliance issues; network challenges and high bandwidth costs; and security and privacy concerns. Notably, from a regulation, compliance, security and privacy perspective, the PPI (Protection of Personal Information) Law plays a large role in the decision to adopt cloud-based solutions.

The impact of PPI on cloud-based solutions

Whether you are utilising cloud-based solutions or planning to adopt cloud; it is critical to identify any personal information that will be collected, transferred, used, stored or shared between your organisation and the cloud provider and/or any other third parties. Sections 19 to 22 of the PPI Bill prescribe the security safeguards that the responsible party (your organisation) and the operator (cloud provider) need to adhere to in the processing of personal information. Responsibilities for the safeguarding of personal information include identifying internal or external risks to personal information; establishing and maintaining appropriate safeguards; regularly verifying the effectiveness of safeguards; and continually updating safeguards in response to new risks or identified deficiencies (Section 19(2)).

Section 21 of the PPI Bill specifies that if the responsible party (your organisation) requires the processing of personal information by an operator (the cloud provider), there must be a written agreement that stipulates that the cloud provider must establish and maintain safeguards to protect the integrity an confidentiality of personal information. Furthermore, chapter 9 of the PPI Bill deals with trans-border information flow, stipulating that the responsible party (your organisation) may not transfer personal information to a third party (cloud provider) who is in a foreign country unless (1) the recipient is subject to a binding agreement (upholding the requirements of safeguarding personal information); or (2) that the cloud provider are adhering to adequate in-country laws (substantially similar to the provisions in the PPI Bill).

When utilising cloud-based solutions, it is therefore important to give consideration to the following:

  • Identification and protection of personal information in the cloud (i.e. data processed in unlawful manner, inappropriately collected data, unauthorised access to personal information and intellectual property, unauthorised exposure of data at cloud location, malicious activity of co-tenant, subpoena by law enforcement (digital evidence / e-discovery)).
  • Responsibilities and liability of the cloud provider (i.e. ensuring that the agreement between your company and the cloud provider caters for the privacy and security requirements as stipulated in Section 19-22 of the PPI Bill).
  • Cross-border transfer of personal information (ensuring compliance with Chapter 9 of the PPI Bill).


How can we help you?

Let us help you make sense of your personal information in the cloud. (click on the graphic to enlarge)

 PPI in the cloud

For more information on Cloud Computing and PPI; contact Dr Mariana Carroll (Senior Manager: Deloitte Consulting) or Daniela Kafouris (Privacy Leader: Deloitte Legal).

About the author


Leave a Comment