IP/IT Law: What the POPI Act means for Software as a Service

Whether you’re a supplier, a customer, or even the customer’s customer, find out how the POPI Act may affect your business.

The risks associated with the processing of personal information on in-house systems are relatively straight forward for any responsible party. However, if you’re a business or organisation that uses Software as a Service (SaaS), also known as ’Cloud Services’, things may be a little different.

What is SaaS?

Along with infrastructure as a service (IaaS) and platform as a service (PaaS), software as a service (SaaS) makes up three of the main cloud computing categories.

A SaaS cloud offers access to a complete software application which the cloud user accesses through a web browser or an application on his/her mobile device or desktop. Accessing the software in this manner eliminates or reduces the need to install and run software on a business’s own computers. Instead, companies (cloud users) simply sign up and pay either a monthly or annual subscription fee. It is no longer simply the provision/distribution of software to a software licensee by the licensor, but a service provided by the cloud service provider (CSP) to the cloud service customer (CSC).

POPI ACT and SaaS: Who is responsible for what?

We’ve all heard about the POPI Act, that its commencement date was confirmed to be the 1st of July 2020, and that there is a subsequent grace period of 12 months (ending on the 30th of June 2021), after which all responsible parties will have to comply with it. However, not all SaaS providers are aware of how the POPI Act will apply to them or the users of SaaS offerings, what they need to do to ensure they comply with the POPI Act, or when their personal information or the Information of their customers are actually processed by a third party SaaS provider.

When it comes to the POPI Act, both SaaS service providers (CSP) and customers (CSC) have their own responsibilities to uphold. The POPI Act obligations will vary slightly depending on whether you or your business is the responsible party or the operator.

This will be the scenario in most cases:

  • The Operator: The cloud service provider (CSP), SaaS supplier/vendor (definition as per the POPI Act: “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”).
  • The Responsible Party: The company, SaaS customer (CSC) (definition as per the POPI Act: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”).

What are the high-level obligations of the SaaS customer acting as the responsible party under the POPI Act and the SaaS Service provider acting as an operator?

POPI ACT for SaaS customers

Responsible parties are obliged to meet all the conditions of the POPI Act. This means being able to demonstrate what technological and organizational measures (including but not limited to processes and procedures) have been established and maintained to guarantee its business and the cloud service provider that is utilised, comply with the POPI Act.

Responsible parties can be held accountable for the actions of the operator (CSP) which means that the Responsible Party should confirm the following prior to singing up any CSP:

  • There must be written (yes, it can be electronic format) terms and conditions that you and the CSP will have to agree to (SaaS Agreement):
  • Check the terms and conditions and ensure that you fully comprehend the contract you are agreeing to. The services of SaaS suppliers are set out according to the terms and conditions, and whether or not they are POPI ACT compliant should be the deal-breaker.
  • That the security management systems they have in place to process data must meet cloud implementation standards (including but not limited to certain international standards such as ISO/IEC 27001 and ISO/IEC 27017).
  • Understand where the personal information will be physically processed and whether any personal information is transferred cross-border (additional requirements when this happens).
  • That the operator is able to present their policy in terms of Privacy.
  • Your rights to have your, as well as your customers’ stored personal information deleted or returned if that’s been requested.
  • Whether or not, subsequent to the above request, the personal information can be easily located and sent to your business and subsequently to your customers, in a suitable format.
  • What will happen with the personal information at the termination of the SaaS Agreement.

Your key responsibilities as a data operator:

  • Ensure your SaaS Agreement/Cloud Services terms and conditions are up to date with reference to the POPI Act.
  • Enhance your security systems in accordance with industry best practices and relevant international standards to limit possible breaches, loss of data, and unauthorised processing operations.
  • Document and maintain data records and security audits.
  • Ensure that all employees (including independent contractors) of your business (including any entity in your group of businesses) are aware of the extended rights of your consumers which include the right to have access to personal information and the right to request the return of personal information or destruction of the personal information.
  • Identify the purpose of processing and avoid further processing without proper consent from the customer.
  • Avoid direct marketing to persons that are not customers and if they are customers to limit it to services and or products similar to the services and/or products already utilising or have been exposed to.
  • To ensure that a process of reporting data breaches is in place. The POPI ACT includes particular requirements for data breach notifications, so you (as operator) have to make sure your company knows how to handle them properly.

Take note, the above is only a very high-level breakdown of possible actions and steps you can take to comply with the POPI Act when using Cloud Services or making Cloud Services available to customers. For more in-depth information and instructions for both responsible parties and operators, contact our Technology Attorneys at IT&IP@dkvg.co.za

Please feel free to email our Gerrie van Gaalen at gvgaalen@dkvg.co.za or to phone him on 021 914 4020 if you need more information or assistance.

Gerrie van Gaalen – Tyger Valley

Download vCard: Gerrie van Gaalen

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.