South African organisations have long been apprehensive about cloud solutions and hosting their data on cloud platforms, whether due to the inherent risks arising out of trusting third parties with sensitive data or other factors such as lack of familiarity, complexity or elevated costs. Recently, the burgeoning cost of local hardware storage contrasted with the reduction in cost of cloud storage solutions from service providers has compelled organisations to look at cloud solutions as a viable alternative, with many now beginning to consider cloud solutions as integral to their business requirements.
Cloud solutions are especially attractive to organisations in the financial services industry, many of whom store and process substantial amounts of customer and financial data. Cloud service providers offer low complexity cloud solutions without the associated costs involved in establishing, securing and maintaining costly local storage facilities.
Notwithstanding this, there are increasing regulatory considerations involved for some organisations that make use of cloud solutions. POPIA, while not yet fully effective, requires that responsible parties must ensure that there is an “adequate level of protection” prior to transferring data to third parties in foreign countries. As of the 1st of October 2018, the South African Reserve Bank’s Prudential Authority issued Directive 3/2018 (“Directive”) and Guidance Note 5/2018 (“Guidance Note”), addressing cloud computing and data offshoring. The Directive and Guidance Note significantly change the regulatory and data protection landscape for banks in South Africa. The Guidance Note effectively enacts Chapter 9 (Transborder Information Flows) and by reference, Chapter 3 (Conditions for the lawful processing of personal information) of POPIA.
The enactment of these provisions of POPIA and the publication of the Directive and Guidance Note have the effect of creating formidable new challenges for Banks, who will, among other things, have to:
- comply with large parts of POPIA;
- create data governance frameworks and strategies;
- provide for board oversight of cloud computing and data offshoring activities; and
- ensure effective third party risk management as of the 1st of October 2018.
These provisions and directives create far-reaching implications for banks in South Africa and banks are advised to begin implementing effective organisational and technical measures to address these considerations expeditiously.
While these provisions are limited to banks for now, it is not inconceivable that the requirements may be extended to include other financial services organisations in the foreseeable future. It is therefore imperative that organisations are aware of these provisions and begin taking proactive measures towards compliance or face the risk of substantial financial penalties and reputational damage for non-compliance. The use of cloud storage in a decentralised manner is also aiding in Blockchain Technology.
For more information, contact:
Director: Risk Advisory Southern Africa
Tel: +27 11 209 8598
Associate Director: Risk Advisory Southern Africa
Tel: +27 11 209 6418