Some say that the arrival of the Protection of Personal Information Act, or POPI as it is known, will put a damper on the growth of the managed services or cloud computing market.
POPI obviously has relevance, but there’s also a fair amount of hype around the effect of POPI on companies’ plans to adopt the cloud computing or managed services model, says Adriaan Mocke, vice-president for Service Lines at Avanade South Africa.
As always, we need to calibrate the hype—much of it is coming from legal firms and consultants who see compliance as a potential revenue source. Companies who are practicing good information life cycle management are probably already largely compliant with the legislation, or are well on their way to doing so.
More importantly, the business drivers that make managed services or cloud computing so attractive are as compelling as ever. They include the need to lower IT infrastructure and management costs while also reducing complexity. Cloud computing takes the focus off the technicalities of IT to the benefits it delivers to the business, something that’s particularly relevant in today’s globalised, highly competitive markets where corporate agility is an essential lever of success.
Cloud computing and managed services are being adopted because they allow companies to achieve goals critical to their long-term sustainability and competitiveness. Cloud computing as an architectural and technological approach can be hugely beneficial when used strategically alongside existing computing assets.
On the whole, POPI should be welcomed as it will steward better treatment of personal data by some companies, and the need to comply with its provisions will accelerate the implementation of best practices in information management.
More than ever before, consumers are now thoroughly sensitised to the value of their personal data and the need to protect it. Companies that can demonstrate they handle that data in a responsible manner will be automatically positioned as trustworthy. Compliance should be seen as a way to prepare your business for success in what is increasingly a data-driven world.
The first step should be to undertake a comprehensive risk assessment to understand exactly what personal data the company holds, what the business reasons for holding it are, and what use is being made of the data by the various corporate departments. That assessment would include the processes and procedures in place within the company and any relevant service provider, such as a provider of cloud-based storage, for example.
On its own hardware a company has direct control of the way customer data is stored, but incurs additional overheads in order to maintain and store that data as well as the infrastructure itself. When using a cloud solution, while the overhead is potentially lower, there is the additional risk that it is not always 100 percent clear where that data is physically stored. This is because the organisation has no control over how the data centres are structured and how the data is distributed. For example, while the cloud solution is based in the UK, the data could reside in India. SA companies are going to have to understand how cloud providers store, archive and backup the data, in order to validate where data is stored with a cloud solution.
In addition, POPI imposes a time limit for storing data on customers. In terms of data destruction, a cloud solution raises further considerations in terms of how much control a company has over leaking of data stored on cloud, whether the cloud providers actually delete the data and whether there are no copies.
Choosing the right cloud or managed services provider will be critical, as such a vendor will be able to help you make the journey because data privacy is a global concern now. And always remember that good information management practices make good business sense.