PPI Bill to impact cloud computing
July 5, 2012
Grazed from ITWeb. Author: Admire Moyo.
The Protection of Personal Information (PPI) Bill, which will soon become law, poses complex challenges to all businesses using cloud computing services. This is according to consultancy firm Deloitte, which notes that cloud computing is a particular concern because it is more pervasive than many companies realise.
SA is set to enact the PPI Bill this year. The Bill, in its seventh version, has already been submitted to the justice minister and aims to protect personal information processed by public and private bodies.
According to Deloitte, all indications are that the Bill will be promulgated in its current state. It adds that the fact that using a cloud solution is likely to mean data will cross SA’s borders immediately introduces PPI challenges…
SLA adjustments
Speaking at a media roundtable to discuss the implications of the Bill this week, Terry Kelly, associate director for risk advisory at Deloitte, noted that while a firm may not officially use a cloud service – using a traditional onsite server instead – there is a high probability that a service provider it outsources to does use cloud services.
“The cloud storage is often in a foreign country and this has considerable implications for how companies handle and transfer data,” said Kelly.
He added that if a company outsources a service, such as payroll, and the service provider uses cloud computing, the PPI law would require the company to ask some pertinent questions about the environment in which the information is stored.
“If that information storage is breached by an unauthorised third party, the law holds the outsourcing company liable,” Kelly explained.
He added that companies should adjust service level agreements so that service providers are required to disclose in detail where data will be stored.
“If the data will be stored in a foreign location, the outsourcing company will have to ensure that it complies with PPI requirements.”
Multinationals’ dilemma
Also speaking at the roundtable, Dean Chivers, director at Deloitte Legal, said multinationals face a particular challenge under PPI by virtue of their operations across various jurisdictions.
He noted that country subsidiaries of a multinational will have to carefully consider how they share data and interact with their head office.
“The principle of the legislation is that a company in a country that has PPI laws cannot send information to a country that does not have similar rules. However, this rule is waived if the company in the receiving country contracts to formally comply with the laws of the company in the sending country.
“If the sending company is in Germany, for example, the receiving company will have to be audited for compliance before data can be transferred,” Chivers said.
He also pointed out that if the multinational is domiciled in a country that does not have PPI legislation, such as India, there are currently no impediments to the flow of information between the two countries.
However, he noted that once SA adopts PPI, companies whose affiliates or partners are in India will have to conform to additional regulatory requirements to perform what has, until now, been routine extraction of information from the local subsidiary.
Chivers is of the view that the simplest and most effective course is for multinationals to look at the countries where they have operations and adopt the highest standard of information protection as its global standard.
In terms of compliance and penalties for non-compliance, the PPI Bill proposes the establishment of a Privacy Regulator. Chivers expects the regulator, its powers and sanctions to be modelled along the lines of the Competition Commission, which has had prominent enforcement success.
A key feature of the PPI legislation is the self-reporting requirement. Companies that have breached the law, for example by accidentally disclosing payroll information, are required to report themselves to the regulator. If a company does not report a breach, and is later caught through an investigation, the offending company will be liable for a heavier penalty.
Database restrictions
The PPI law will also restrict how companies can use databases for marketing. One of its key requirements is that data can be used only for the purpose for which it was gathered. Thus, if a customer supplies financial information to access a specific product, companies cannot pass on that data to a different marketer to sell a different product.
Chivers expects PPI provisions will also follow the Competition Act by levying penalties as a percentage of turnover. The European Union has a draft recommendation for the applicable fine to be raised to 2% of group global turnover.
Says Chivers: “The legislation will likely see two types of responses. There will be mavericks that wait as long as possible and finally comply when penalties are imminent. But there are also corporates that are taking a proactive approach and preparing for implementation of PPI.
“Deloitte estimates that a sizable multinational will need between 18 months and three years to comply fully with the legislation. We believe early, full and voluntary compliance can serve as a differentiator for a company, as it is indicative of its corporate culture and approach to governance, and in many cases, reduces the privacy risks their business partners face.”