By Theo Watson, Commercial Attorney at Microsoft South Africa
Digital transformation is touching every sector as well as every industry, disrupting the traditional market leaders, value chains and conventional ways of doing business along the way. While the technology (IoT, big data analytics, machine learning, artificial intelligence) and the business benefits these can unlock get a lot of attention, one aspect often overlooked in the digital transformation process is compliance and regulation.
Going hand in hand with the technological trends and developments are new regulation and laws such as the Protection of Personal Information (PoPI) Act 4 of 2013. The purpose of this regulation is to safeguard people’s personal information within the digital era in which technology has made the collection, storing, and sharing of said information quick and easy.
On question that frequently gets asked of Microsoft’s cloud sales teams is whether the company’s enterprise cloud services are PoPI compliant? For the most part, Microsoft, as an Operator (as defined under PoPI), faces a narrow set of PoPI obligations. These tend to be restricted to issues of confidentiality and notification in the event of a data breach. So, with this in mind, Microsoft is well positioned to describe its cloud services as meeting PoPI compliance.
However, the broad or general question of whether Microsoft’s enterprise cloud services are PoPI compliant is rarely (if ever) aimed at assessing its, narrow, duties under the Act. More often the question is asked in an attempt to “tick a box” and allow an easy move to the cloud. Simply put, the question is misconstrued and can lead to misunderstanding of the PoPI roles and responsibilities within a customer environment.
Since PoPI is in the main aimed at protecting personal information in the hands of a Microsoft customer (a Responsible Party), it stands to reason that the principal compliance aspects and adherence to the Act falls to the customer (Responsible Party) and not Microsoft as a cloud service provider
Another dimension of customer support
The more pertinent question to ask then is: Does Microsoft support a customer’s compliance under PoPI? The ability to positively answer this question should be the standard response that a customer seeks when engaging a Cloud Service Provider.
For instance, a customer (Responsible Party) is required to ensure that Personal Information of an end customer (data subject) is collected for a specific purpose and used only for that purpose. As the enterprise cloud service provider, Microsoft does not scan or read customer email or other content. Moreover, Microsoft does not engage with the end customer, and would consequently never be able to satisfy this PoPI requirement.
Only the customer consuming the cloud services would be able to assess and address this PoPI obligation. Knowing that Microsoft is compliant with PoPI will not assist a customer achieve compliance with regards to this example. To achieve compliance in the above scenario, a cloud customer needs to ensure that it uses a data subject’s personal information for the primary purpose for which it was collected. If a customer’s cloud service provider uses a data subject’s personal information for other purposes such as targeted advertising for example, the customer may be in breach of its compliance under PoPI as a result of its cloud service provider’s actions.
What this ultimately means is that asking whether the cloud service provider is compliant with PoPI in instances like this, does not assist a customer, because the responsibility (or compliance) belongs to it and not the cloud service provider.
A more appropriate question to ask in this case would be how a cloud service provider supports a customer’s compliance, would enables a true evaluation of position to emerge.