As more organisations seek to cut costs and improve
efficiencies, the use of cloud services is growing amongst South
African businesses. But director at Werksmans Attorneys,
Tammy Bortz, advises companies to undertake a comprehensive
technical and legal due diligence of cloud service providers before
using cloud services.
"A lack of guidelines, codes of conduct or standards for
cloud service providers in South Africa could leave businesses open
to risk," says Bortz. "While internationally there
are a number of organisations which have issued guidelines and
codes of conduct, there are no such frameworks locally."
Cloud computing is not new technology but rather a new way of
delivering computing services "on demand" whereby users
can turn the services on and off, scale up or down, depending on
need". Examples include Gmail and Google Apps. The
ability to turn the services on and off or scale up or down,
depending on the need has many benefits for companies, including
cost-effectiveness and flexibility. But concerns remain around
security, data privacy, loss of control over critical business
functions and data, as well as service interruption.
Bortz says the selection of a cloud provider, and the conclusion
of a cloud computing contract, should be approached in the same way
that other technology-related decisions are – with a
thorough audit of the provider undertaken first.
"With most public cloud offerings, contracts are not
negotiable and so the focus should be on contract/provider
evaluation," says Bortz. "Companies should assess the
various cloud providers, including their security, privacy and
redundancy policies as well as service level agreements,
Bortz says security remains a critical issue in cloud computing,
especially for companies using the cloud for business critical
services or where sensitive or personal data may be placed in the
cloud. Therefore conducting an audit of the provider's
security policies / processes and considering its security
certifications, are key to ensuring the integrity of personal
"Always check whether the provider has experienced any
security breaches and if so, ask how they were handled and what
planning has been done to prevent future problems," she
Probably the biggest risk to companies placing sensitive and
personal data in the cloud is data protection and privacy. Certain
provisions of the Protection of Personal Information (PPI) Bill are
relevant for both local cloud providers and organisations who are
considering using cloud services, whether locally or
Any person or business which processes personal information of
third parties is bound by the PPI Bill, which covers the
collection, storage, use, dissemination of personal
"Companies who process personal information will need to
ensure that they identify any threats to the personal information
under their control, ensure that proper safeguards are in place and
regularly verify and update those safeguards," says
Bortz. "They're also responsible for ensuring that
the cloud provider establishes and maintains these security
She adds that agreements with the cloud provider regarding
confidentiality and security measures must be concluded.
In addition, the PPI Bill will impact cross border data flows,
especially where South African companies use offshore cloud
providers. The PPI Bill prohibits the transfer of personal
information to a foreign entity unless the recipient of the
information is subject to a law or agreement which upholds similar
information protection principles or the data subject consents to
the transfer. As a result, Bortz advises companies to
establish what laws apply to protect personal information in the
jurisdiction in which the cloud provider is situated. Also consider
any restrictions of the transfer of such data back into South
She says companies should also find out what happens when an
arrangement with a cloud provider terminates. "Ask
whether the cloud provider offers any termination assistance around
the return of data. There are currently no standard data
formats or procedures for data portability, so the format in which
data will be returned must be understood and agreed
It's also important to consider what happens if there is
interruption to service and what service levels are in place to
guarantee availability, response and resolution times.
"Cloud computing presents many benefits for companies.
However, it's important to mitigate the associated risks by
conducting a thorough technical and legal due diligence of cloud
providers and their offerings," concludes Bortz.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
There has been much discussion in the media regarding the use of virtual private networks (VPNs) in the United Arab Emirates (UAE), triggered by the recently announced Federal Law No. (12) of 2016 (the Amendment), which amends Federal Decree-Law No. (5) of 2012 on Combating Cybercrimes (the Law).
The philosophy behind the removal is to enable ISPs to bring down their internet data price as low as possible so as to gain more subscribers as well as make it cheaper for Nigerians to access the internet.
Anyone entering Qatar by way of the Doha International Airport has no doubt noticed the large billboards prominently advertising upcoming events, new real estate developments, fast cars, hot fashions, and any other information of potential interest to people here.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).