INTRODUCTION TO CLOUD IN SOUTH AFRICA
The South African (SA) government is committed to socio-economic transformation by reducing poverty and inequality, developing an inclusive economy and building capabilities1 in a manner which gives effect to the rights enshrined in SA's Constitution.2 The government recognizes that technology can play a key role in achieving these objectives.3 At Microsoft, we agree. We believe that hyper-scale cloud services, in particular, can play a pivotal role in helping SA unlock its key socio-economic objectives while ensuring a safer, more secure and more effective environment, which adheres to accepted international technical standards.4
Microsoft is proud to confirm that it meets regulatory and compliance requirements for use of the cloud in some of the most highly regulated industries across the globe and can help you to achieve compliance with the regulatory, and compliance requirements applicable in your sector.
THE REGULATORY LANDSCAPE
Microsoft has led the cloud technology revolution in SA and provides its customers with state of the art cloud services. Its solutions such as Microsoft Azure, Office 365, and Microsoft Dynamics 365 power many different customers across the MEA region, including SMEs, large global corporates, public sector and non-profit organisations.
Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure, and legally compliant manner.
Cloud adoption in SA has, as in many other countries, been accompanied by potential concerns about regulatory compliance. These concerns generally relate to the ability of cloud service providers to ensure security and privacy compliance. This is changing as organisations can now move to the cloud in a way that meets and often exceeds their security and privacy requirements. Cloud solutions from leading providers such as Microsoft are now being recognised for their ability to offer these or higher levels of security and privacy compliance.
At Microsoft, we welcome these positive developments and are pleased to have participated in a large number of compliance conversations with customers and regulators across sectors. As a result, we have developed a range of materials to help our customers in SA move to the cloud in a way that meets their regulatory requirements.
The laws governing the adoption of cloud computing in SA fall into two categories – general laws and regulations that apply to all organizations; and laws and regulations that only apply to organisations within specific sectors. There is presently no uniform regulation for cloud services in South Africa.
Currently in SA, data privacy laws are governed by SA's Constitution5 and the common law. The right to privacy is recognized as a fundamental right. The Protection of Personal Information Act 4 of 2013 ("POPIA") will soon come into force. POPIA will specifically regulate the collection, use and processing of personal data. It will impose obligations on organizations concerning matters such as notice, consent and purpose, disclosures, international transfers, security, data retention, data subjects' rights of access and correction, and subcontracting.
POPIA will require responsible parties (data controllers) to have a written agreement with their cloud service providers and ensure that appropriate, reasonable technical and organisational measures are taken to protect personal information from loss, damage, unauthorised destruction, unlawful access, and processing.
The Information Regulator, appointed under POPIA, is a new regulator that will have extensive powers to investigate and fine responsible parties. The Information Regulator will provide guidelines for compliance with POPIA. Microsoft intends to continue working closely with the Information Regulator.
King IV6 does not carry the force of law for most organizations7 but is widely recognised as setting the ‘Gold Standard’ for governance in SA. For technology and information, it calls for the implementation of policies and processes to achieve certain outcomes,8 which can be delivered by a move to the Microsoft cloud. These include aspects such as:
- Business resilience;
- Monitoring and appropriate responses to developments in technology;
- Proactive intelligence monitoring to identify and respond to incidents such as cyber-attacks;
- Managing performance and risks of third party and outsourced service providers;
- An information architecture to support confidentiality, integrity and availability; protection of privacy of personal information; and
- Compliance with relevant laws.
The Cybercrimes and Cybersecurity Bill is likely to impact on the requirements of our customers. Microsoft is closely monitoring this development and has made submissions to Parliament on this important Bill.
This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services.
Click here to download the checklist.
1South African National Development Plan
2Constitution of the Republic of South Africa Act 108 of 1996
3National Integrated ICT Policy White Paper
4Electronic Communications and Transactions Act 25 of 2005
5Constitution of the Republic of South Africa Act 108 of 1996
6King IV Report on Corporate Governance for South Africa 2016
7Listed groups will be bound in terms of the listing requirements of the Johannesburg Stock Exchange
8See Principle 12 of King IV
9Under the Electronic Communications and Transactions Act 25 of 2002, and also the Regulation and Interception of Communications and Provision of Communication-related Information Act 70 of 2002
10Under Chapter V of the Electronic Communications and Transactions Act 25 of 2002
WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES
We build our services from the ground up to help safeguard your data
Our policies and processes help keep your data private and in your control
We provide industry-verified conformity with global standards
We make our policies and practices clear and accessible to everyone
AI in Africa
Download the full whitepaper to learn more about the future of AI in Africa.
The Future Computed
Artificial Intelligence and its role in society
Safeguard individual privacy with the Microsoft Cloud
Digital Transformation in the Cloud
Partnering with Microsoft helps your organization transform into a digital company by developing new capabilities.
Cloud for Global Good
A roadmap to a trusted, responsible, and inclusive cloud