Cloud vendors have responsibility to comply with POPI Act
While there are many risks associated with having a cloud vendor, the onus is on every organisation to ensure third-party service providers appropriately safeguard the information they have access to.
This was the word from global privacy business expert Russell Opland, speaking during the ITWeb Governance, Risk and Compliance 2021 virtual conference held last week.
Discussing the role and responsibility of third-parties in regard to complying with the Protection of Personal Information (POPI) Act, Opland pointed out that while third-parties such as cloud vendors and managed service providers are obliged to protect the personal data they handle, the main responsibility to ensure the safeguarding of information ultimately lies with the organisation that hired them.
Not only does this protect their customers but it also shields the company from any reputational damage that can be caused by possible leakage of data.
“In SA, it’s a common misunderstanding − simply because we don’t have much experience with privacy and data protection laws − that when organisations outsource data processing services to an IT vendor, they somewhat intuitively think that the risk relating to a data breach transfers to that vendor or service provider. But POPI dictates that the main responsibility of data protection lies with the ‘responsible party’,” explained Opland.
“Responsible party” refers to the company, firm or establishment which determines the purpose of and means for processing personal information. “Because that organisation has made a decision to outsource the data processing services to a third-party, and in so doing, they cannot outsource their regulatory obligations and liability to protect data,” he added.
To illustrate this point, he referenced the Capital One data breach which took place in the US in 2019. The credit card provider had outsourced data management services to Amazon Web Services when a former Amazon employee broke into a server hosted by Amazon and gained access to more than 100 million Capital One customers' accounts.
“The Capital One hack couldn’t have come at a worse time for Amazon. At the time of the hack, Amazon’s cloud computing unit was considered the front-runner in a race to secure a $10 billion contract with another firm. It subsequently lost the contract following the breach. Furthermore, Capital One was ordered by federal regulators to pay an $80 million penalty fine for its role in the data breach.”
This illustrates the incredibly high risk that organisations face from vendors, service providers or operators, he added.
What does POPI say?
In order to protect clients’ personal information, organisations across all sectors need to conduct thorough due diligence when dealing with third-parties, notedOpland.
He referenced section 21(1) and (2) of POPIA, which stipulates:
- A responsible party must, in terms of a written contract between the responsible party and the operator, ensure the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in Section 19.
- The operator must notify the responsible party immediately where there are reasonable grounds to believe the personal information of a data subject has been accessed or acquired by any unauthorised person.
“When dealing with vendors, organisations should obtain written contracts with all their suppliers who have access to personal information. They should also not forget suppliers who have ‘incidental’ access, such as cleaning services.”
In addition to obtaining written contracts, Opland recommended that organisations categorise their vendors based on risk: volume of personal information, types of personal information, etc.
“Provide different contract language based on the type of risk – what constitutes risk could vary.Once categorised, I would recommend that you have different suppliers’ default contract language for each risk category and undertake a more detailed evaluation of your ‘high risk’ suppliers,” he concluded.