South Africa: Consider Doing A Data Protection Impact Assessment Before Migrating To The Cloud

The cloud is now the preferred location for many businesses to host their data. The cloud comes with many benefits, such as increased security, reduced infrastructure investments and operational efficiency. Cloud products are also attractive because of their flexibility, scalability and ease of implementation. However, as enticing as these benefits sound, it is imperative that organisations consider the privacy implications before migrating into the cloud. Conducting a data protection impact assessment ("DPIA") is one method that could help minimise the risks.

Data privacy matters because when data containing personal information is transferred to the cloud:

• you lose control over that data,
• the cloud provider becomes an operator as defined in the Protection of Personal Information Act, 2013 ("POPIA")
• it could amount to a transborder transfer of personal information if the cloud servers are located outside of South Africa.

A responsible party must ensure that any processing is compliant with POPIA, appropriate operator agreements are concluded that impose obligations on the cloud provider to protect data, and that any transborder transfer of personal information is done lawfully.

Therefore, it is critical to understand and assess the privacy risk of moving into cloud from the outset, especially given the fact that you as a responsible party will ultimately be liable if anything goes wrong.

A great way to understand and essentially minimise privacy risks is by conducting a DPIA. POPIA does not mandate that DPIAs be conducted on a project specific basis, unlike the EU General Data Protection Regulation (GDPR), which specifies that an assessment of the impact of any envisaged processing activities be conducted in instances where "a type of processing activity, in particular, using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons". It is our view that conducting a DPIA is best practice and should apply in the South African context, especially in instances where migrating or using the cloud is considered. 

Drawing from the guidance provided by the UK's Information Commissioner's Office (the UK's information regulator), a DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project. A DPIA entails identifying your processing activities and the purposes of processing, then assessing the necessity and proportionality of the processing in relation to the purpose including assessing the risks to the rights of the data subjects. 

A DPIA is not intended to eliminate all risk but assists in minimising the risks posed by your processing activities and helps you determine whether or not the risk is acceptable. Once the risks have been identified, a DPIA also helps you determine how those risks can be mitigated. For example, after conducting a DPIA, you may find you require additional undertakings in your agreement with your cloud provider. Over and above this, a DPIA goes towards demonstrating to any interested party (the Information Regulator or affected data subject) or in the event of a data breach or complaint being raised, that as a responsible party you have taken all reasonable steps to assess and mitigate any data privacy risks.

Data privacy risks are only a subset of risks that need to be considered, organisations should also consider the financial, operational and technological risks when migrating to the cloud. To this end, we have developed a cloud risk matrix to help organisations understand the risk associated with a cloud provider and assist businesses to make informed decisions about the cloud.