Whether you’re a supplier, a customer, or even the customer’s customer, find out how the POPI Act may affect your business.
The risks associated with the processing of personal information on in-house systems are relatively straight forward for any responsible party. However, if you’re a business or organisation that uses Software as a Service (SaaS), also known as ’Cloud Services’, things may be a little different.
What is SaaS?
Along with infrastructure as a service (IaaS) and platform as a service (PaaS), software as a service (SaaS) makes up three of the main cloud computing categories.
A SaaS cloud offers access to a complete software application which the cloud user accesses through a web browser or an application on his/her mobile device or desktop. Accessing the software in this manner eliminates or reduces the need to install and run software on a business’s own computers. Instead, companies (cloud users) simply sign up and pay either a monthly or annual subscription fee. It is no longer simply the provision/distribution of software to a software licensee by the licensor, but a service provided by the cloud service provider (CSP) to the cloud service customer (CSC).
POPI ACT and SaaS: Who is responsible for what?
We’ve all heard about the POPI Act, that its commencement date was confirmed to be the 1st of July 2020, and that there is a subsequent grace period of 12 months (ending on the 30th of June 2021), after which all responsible parties will have to comply with it. However, not all SaaS providers are aware of how the POPI Act will apply to them or the users of SaaS offerings, what they need to do to ensure they comply with the POPI Act, or when their personal information or the Information of their customers are actually processed by a third party SaaS provider.
When it comes to the POPI Act, both SaaS service providers (CSP) and customers (CSC) have their own responsibilities to uphold. The POPI Act obligations will vary slightly depending on whether you or your business is the responsible party or the operator.
This will be the scenario in most cases:
What are the high-level obligations of the SaaS customer acting as the responsible party under the POPI Act and the SaaS Service provider acting as an operator?
POPI ACT for SaaS customers
Responsible parties are obliged to meet all the conditions of the POPI Act. This means being able to demonstrate what technological and organizational measures (including but not limited to processes and procedures) have been established and maintained to guarantee its business and the cloud service provider that is utilised, comply with the POPI Act.
Responsible parties can be held accountable for the actions of the operator (CSP) which means that the Responsible Party should confirm the following prior to singing up any CSP:
Your key responsibilities as a data operator:
Take note, the above is only a very high-level breakdown of possible actions and steps you can take to comply with the POPI Act when using Cloud Services or making Cloud Services available to customers. For more in-depth information and instructions for both responsible parties and operators, contact our Technology Attorneys at IT&IP@dkvg.co.za
Please feel free to email our Gerrie van Gaalen at firstname.lastname@example.org or to phone him on 021 914 4020 if you need more information or assistance.
Gerrie van Gaalen – Tyger Valley
Download vCard: Gerrie van Gaalen
This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.