POPI in the sky of Diamonds

By | 19th October 2016

I get asked about POPI a lot. I am very pro cloud, I like being able to spin up 500 32 core Virtual machines with my smart phone. I like they way these things are easy. I don’t like the road blocks that people create to make things simpler for themselves to the disadvantage of their organizations.

The POPI act is here 

In the Protection of Personal Information Act the topic of data locality (or Transborder Information Flows) is covered in chapter 9 (page 77). Things to note here are:

  1. This does not force data sovereignty on either party
  2. This does not stop you from moving data, personal information or workloads to cloud providers or contractors or consultancies outside South Africa
  3. This does not stop you from writing corporate limiting data governance policies
  4. This does not stop you from writing a bad piece of code and being hacked and joining the ranks of Yahoo!, Ashley Madison or Linked In

If you think your servers are more secure in your offices than a secure data center like AWS, GCP or Azure then think again. How difficult is it in your office to physically access a server? I only met one server that survived me having physical access to it, but only the second time and only because its RAID array was corrupt. The first time I hacked the admin account because the previous admin refused to provide it to the company we were contracted to support.

What they do require are that:

  1. They the receiving party be able to be subjected to the same laws or have the at least as good laws around data protection in place
  2. They laws are able to be acted upon with at least the same efficacy as POPI

Now, and this is where it gets interesting, the POPI act is written in such a way as to limit 3rd party’s access to the information. In cloud terms Google, Amazon and Microsoft provide very secure infrastructure and in most cases data is encrypted at rest and in transit with keys that they generally do not have access to and in many cases you can provide your own to force this. This means the infrastructure is being provided by a 3rd party but the data is never leaving the company’s servers (even though those servers are transient VMs in the Cloud). If you then share the data with a 3rd party to do something with the data then you are bound by POPI to ensure that the person has consented to the transmission of this information.

POPI does not stop you using cloud. POPI ensures that your cloud services comply with POPI. Google datacentres are SSAE16 / ISAE 3402 Type II, ISO 27001, ISO 27017, ISO 27018 (ISO version of POPI)  PCI DSS 3.1 certified. Google is also HIPAA compliant (because it doesn’t provide services it cannot be certified, but if you do and use Google’s Cloud Platform your HIPAA certification will not be withheld due to being on their cloud) and offers EU model contract clauses for customers subject to the EU Data Protection Directive.

Stop hindering your business, the cloud age is here, your competitors will outperform you on the use of cloud metric alone.