Cloud adopters must comply with data laws
Organisations need to become aware of laws that apply to the cloud if they use cloud computing services.
So said John Giles, managing attorney at Michalsons Attorneys, speaking at the ITWeb Cloud Summit 2017 yesterday in Johannesburg.
According to Giles, there are significant risks to cloud computing, but many of them are manageable and can be governed. "There are laws that apply to the use of the cloud and it's often quite tricky because there are in different jurisdictions and are different kinds of laws like data protection laws, data localisation laws and data sovereignty laws. However, this should not stop cloud adoption."
Giles says organisations need to understand data localisation and data sovereignty with regards to cloud compliance, especially because different countries have different laws around these concepts. This means that organisations need to adjust according to the country where they are storing their data or moving data to, he adds.
Using cloud computing makes good business sense but at the same time companies should be cognisant of the fact that they have to use the cloud in accordance with the law, he says. "And to do that you need to know what the laws are and apply them to your circumstances and follow a risk-based approach, said Giles.
In SA, under data protection law we have the Protection of Personal Information (POPI) Act. The POPI Act was signed by the president on 19 November 2013 and published in the Government Gazette on 26 November 2013. On 10 May 2016, the Portfolio Committee on Justice and Correctional Services shortlisted five candidates for the office of Information Regulator. In October last year, a government statement confirmed the appointment of Pansy Tlakula as full-time member and chairperson of the Information Regulator.
Europe has the General Data Protection Regulation (GDPR), a regulation by which the European parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU.
Giles says these laws should not be a hindrance to companies who want to use the cloud. If a company is operating in SA only then they should comply with POPI. However, if it's a multinational, especially based in Europe, then it need to comply with both POPI and GDPR.
"What would makes sense in that scenario is to apply the GDPR, and the extra that POPI actually requires. It's a tricky thing, it's not easy, but that's what organisations should be doing if they have to comply with both in my view."
Giles also noted that some information is not suitable for the public cloud, from a legal point of view, especially if you are dealing with highly sensitive information, for example if you have a database of the HIV status of people in SA. According to Michalsons Attorneys, from a cloud compliance perspective for cloud providers they must only process personal information with knowledge and authorisation of the responsible party. Additionally, the data subject can consent to have their personal information stored by the cloud provider, it adds.