Navigating your way to the Cloud
South Africa

THE REGULATORY LANDSCAPE

Microsoft has led the cloud technology revolution in SA and provides its customers with state of the art cloud services. Its solutions such as Microsoft Azure, Office 365, and Microsoft Dynamics 365 power many different customers across the MEA region, including SMEs, large global corporates, public sector and non-profit organisations.

Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure, and legally compliant manner.

• Overview

  Cloud adoption in SA has, as in many other countries, been accompanied by potential concerns about regulatory compliance. These concerns generally relate to the ability of cloud service providers to ensure security and privacy compliance. This is changing as organisations can now move to the cloud in a way that meets and often exceeds their security and privacy requirements. Cloud solutions from leading providers such as Microsoft are now being recognised for their ability to offer these or higher levels of security and privacy compliance.

  At Microsoft, we welcome these positive developments and are pleased to have participated in a large number of compliance conversations with customers and regulators across sectors. As a result, we have developed a range of materials to help our customers in SA move to the cloud in a way that meets their regulatory requirements.

• What laws and regulations apply?

  The laws governing the adoption of cloud computing in SA fall into two categories – general laws and regulations that apply to all organizations; and laws and regulations that only apply to organisations within specific sectors. There is presently no uniform regulation for cloud services in South Africa.

• General Laws

  • (a) Data Privacy

    Currently in SA, data privacy laws are governed by SA's Constitution⁵ and the common law. The right to privacy is recognized as a fundamental right. The Protection of Personal Information Act 4 of 2013 ("POPIA") will soon come into force. POPIA will specifically regulate the collection, use and processing of personal data. It will impose obligations on organizations concerning matters such as notice, consent and purpose, disclosures, international transfers, security, data retention, data subjects' rights of access and correction, and subcontracting.

    POPIA will require responsible parties (data controllers) to have a written agreement with their cloud service providers and ensure that appropriate, reasonable technical and organisational measures are taken to protect personal information from loss, damage, unauthorised destruction, unlawful access, and processing.

    The Information Regulator, appointed under POPIA, is a new regulator that will have extensive powers to investigate and fine responsible parties. The Information Regulator will provide guidelines for compliance with POPIA. Microsoft intends to continue working closely with the Information Regulator.

  • (b) King IV

    King IV⁶ does not carry the force of law for most organizations⁷ but is widely recognised as setting the ‘Gold Standard’ for governance in SA. For technology and information, it calls for the implementation of policies and processes to achieve certain outcomes,⁸ which can be delivered by a move to the Microsoft cloud. These include aspects such as:

    • Business resilience;
    • Monitoring and appropriate responses to developments in technology;
    • Proactive intelligence monitoring to identify and respond to incidents such as cyber-attacks;
    • Managing performance and risks of third party and outsourced service providers;
    • An information architecture to support confidentiality, integrity and availability; protection of privacy of personal information; and
    • Compliance with relevant laws.

  • (c) Encryption

    The use of encryption technology, which forms a key part of Microsoft's cloud service offerings, is also regulated.⁹ To this end, Microsoft has obtained registrations required by law.¹⁰

  • (d) Cybercrime and cybersecurity

    The Cybercrimes and Cybersecurity Bill is likely to impact on the requirements of our customers. Microsoft is closely monitoring this development and has made submissions to Parliament on this important Bill.

• Microsoft Cloud Checklist to General Regulatory Position

  This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services.

  Click here to download the checklist.

• Sector-Specific Requirements

  In addition to general laws, industry-specific requirements may apply. You can find out more about the requirements that apply in your industry sector by selecting from the selected Industries below.

  

  Financial Services

  

  Government

  

  Oil and Gas

  

  Health

• Footnotes

  ¹South African National Development Plan
  ²Constitution of the Republic of South Africa Act 108 of 1996
  ³National Integrated ICT Policy White Paper
  ⁴Electronic Communications and Transactions Act 25 of 2005
  ⁵Constitution of the Republic of South Africa Act 108 of 1996
  ⁶King IV Report on Corporate Governance for South Africa 2016
  ⁷Listed groups will be bound in terms of the listing requirements of the Johannesburg Stock Exchange
  ⁸See Principle 12 of King IV
  ⁹Under the Electronic Communications and Transactions Act 25 of 2002, and also the Regulation and Interception of Communications and Provision of Communication-related Information Act 70 of 2002
  ¹⁰Under Chapter V of the Electronic Communications and Transactions Act 25 of 2002