', 'deloitteblog.co.za'); ga('send', 'pageview');

Deloitte SA Blog


PPI: What it means to Enterprise Mobility?

PPI and Enterprise Mobility

Recently South Africa passed new legislation, whereby companies are accountable to provide governance over the protection of personal information; both company and employee related. This legislation is known as the Protection of Personal Information Act, POPI or PPI.

The PPI (Protection of Personal Information) Act, refers to the Data Life Cycle, providing rules and guidance for the following “states” of information within the information life cycle:

  • Collection or creating data
  • Processing, Marketing & Cross Border Transfers
  • Purpose Specification
  • Further Processing
  • Retention requirements
  • Destruction or Archiving

 No Boundaries

With the increasing growth and expansion of technology in our world today, many boundaries are being broken down and distance becomes irrelevant in the world of data and information systems.

The cyber highways contain a wealth of information that travels round the globe in an instant. Current news articles are read digitally seconds after they are published and this form of information or content is part of our daily lives.

Today email on a smartphone or tablet is a “must have” in both your personal and professional lives. Employee’s can now be empowered to submit leave requests, claim expenses or access internal systems while on the move or while sitting at the airport waiting to catch a business flight. But how is all this information governed?

Information Governance

The problem with such vast amounts of information scattered around leads to the question: “How do I ensure that my company and personal information is adequately safeguarded?”.

With the advent of mobile devices; laptops, smartphones and tablets, providing this information any where, any time, has a significant impact on personal information governance.

From an enterprise mobility perspective, the picture looks like a piece of Swiss cheese, full of holes. These mobile devices pose great risk in this information marathon to become PPI compliant. In the event of an information “breach” companies must be confident in answering the following question: “What was done to protect this personal information?”.

To ensure that this question is sufficiently answered, companies must develop and implement a mobility strategy, mobile device policy and personal information governance policy for all staff members to adhere to when mobile devices are used to expand the “borders of the office”.

With stringent, well thought out and planned mobility secure policies in place, an enterprise platform can be established which allows a company to enforce the protection of its data and that of its employees too.

As part of a mobile secure strategy the following mobility areas are focused on to provide broader coverage of mobile protection:

  • MDM - Mobile Device Management
  • MAM - Mobile Application Management
  • MCM - Mobile Content Management
  • TEM – Mobile Communication Management


One glove does not fit all!

Unfortunately due to the nature and complexity of the Protection of Personal Information Act (PPI), implementation in becoming compliant will entail analysis of the company’s data, purpose of data and business processes to allow the building of a bullet proof solution. The out-of-the-box, drop and go solution will not be sufficient to ensure compliance.

In conclusion, for companies to comply with privacy requirements aligned to Protection of Personal Information legislation, companies need to ensure the security, transmission and storage of personal data, together with a clear defined mobile strategy, mobile user policies and the implementation of reliable and proven technology to ensure the management and protection of data in the enterprise.

Deloitte Consulting has the experience in mobile secure methodology together with risk advisory services to provide a single source and advantage point for mobile data privacy governance.

To find out more about  how to comply with PPI in your Enterprise Mobility strategy; contact Sergio Congia or Marc Rossmann directly.

Personal Information – The Controls Paradigm

POPI and Social MediaPrivacy and the Protection of Personal Information (PPI) Act has recently taken the spotlight in the South African legislative environment and will soon become a compliance headache for most organisations.  For many organisations it is a compliance black hole, however some organisations have been aware of the bill for some time, others have even gone to the extent of defining personal information requirements and strategies.

So where do we start?

The starting point of dealing with the requirements for PPI must start with the organisation defining the type of information it receives, processes and distributes.  This includes all types of information and data and can be in both manual and electronic formats.  The information can also be internally generated (e.g. employee information) or externally generated (e.g. client information).  In the realm of privacy, information such as personal details (e.g. name, surname, ID), biometric data, health data, gender and political persuasion all fall within the ambit of the Protection of Personal Information Act.

How our data is used and do we have the right to do so?

Once the type of information has been defined, the usage of the information must be clearly defined and authorised.  This aspect deals with how information is going to be used and how will it be treated after use (stored, destroyed, returned).  When the use of the information is clearly defined, it must then be communicated to the relevant parties to obtain their consent of use.  Without this important step, any processing of any personal information could be considered illegal.

The next step is to then define the organisations stance on privacy and personal information.  This may take the form of capturing this information into a privacy policy, privacy strategy and supporting procedures.

If we violated our policy, how would we know?  And am I supposed to know?

The act also requires that any losses of personal information are disclosed to the regulator.  This therefore implies that mechanisms to identify breaches of information are implemented as part of the organisations business i.e. Data leakage prevention activities.

Typically, the answer to this question and the execution of the privacy strategy relies on a set of business process controls which can be preventative or detective and operated in a manual or automated manner.

Preventative:  Controls that would prevent a risk from occurring Detective:  Controls that would detect if a risk materialised
Automated: Controls that do not require manual intervention Manual:  Controls that are operated by an individuals or group of individuals

Ideally, the combination of these controls around personal information should primarily be automated and preventative with detective controls that would function in detecting a breach or loss.  These controls are also distributed in nature and are found across the business process, the application system used to facilitate the business process and the underlying IT infrastructure that supports the application.

Organisations often find themselves asking questions on how to implement controls and ensuring the right mix of controls to safeguard personal information or alternatively, after implementing the controls, gaining assurance that the controls are operating effectively.  In addition, the control landscape is further complicated by the numerous other compliance requirements and related controls that the business relies upon.

How are others effectively dealing with it?

POPI compliance paradigm (Click to enlarge)

Deloitte has specialists that deal with control landscapes end-to-end, from a business process level down to technical IT controls that need to be configured appropriately.  We assist our clients in implementing these controls or providing assurance that their controls related to privacy are operating effectively.

For more information, contact Prashanth Naidoo on 071 674 9633 or pnaidoo@deloitte.co.za

POPI: Enabling Compliance through effective Data Management

POPI and Social MediaInformation is the life blood of every business, but how that information is managed and used is increasingly being regulated and businesses need to get it right!

The quintessence of the Protection of Personal Information Act (POPI) is to ensure that personal information (PI) is effectively governed and managed in the organisation. POPI enforces rigorous requirements on organisations to manage and govern the way personal information is collected, stored, used, protected, shared and disposed of. Accomplishing this requires the implementation of effective data management capabilities and controls across the organisation.

To gauge your organisation’s data management capability readiness to comply with POPI, how would the following sample questions be answered: -

  • Do you know what PI your organisation collects?
  • Do you know where PI is stored? (systems, servers, laptops, mobile devices)
  • Do you know what PI resides in unstructured and semi structured formats? (word, excel, email, text)
  • Do you know who in your organisation has access to PI?
  • Does your organisation share PI with 3rd party service providers?
  • Does your organisation have the ability to delete electronic PI if instructed to so?
  • Does your organisation record the reason why PI is collected and where is this stored?
  • Do you know who is accountable and responsible for PI so that effective governance can takes place?
  • Does your organisation assess the quality of PI?
  • What measures has your organisation taken to ensure that PI is accurate, up-to-date and not misleading?
  • Has your organisation performed an evaluation to establish the degree of damage to both the data subject and the organisation that could be caused through inaccurate PI?
  • Is PI consistent within and across systems and data bases? (single version of the truth)
  • Does your organisation have a single view of the customer?
  • If requested, would your organisation be able to supply ALL the PI you hold about a data subject?
    • Does your organisation keep PI for longer than is necessary?
    • Does your organisation know when it is no longer allowed to keep PI?
    • How is the review done to determine whether PI should be deleted?
    • Does your organisation have a purging/deletion routine that is executed at regular intervals to delete PI that has reached the end of the retention period?
    • What consents are requested from data subjects when PI is collected?
    • What data loss prevention mechanisms has your organisation implemented?
    • Does your organisation acquire PI from 3rd party data suppliers and have you obtained consent from the data subject to collect their information?

The requirements of the POPI apply across the information life-cycle, from creation and collection, to storage and distribution, to processing and usage and eventually to archival and deletion. To effectively manage PI and comply with POPI, organisations must invest in establishing the required data management capabilities. The foundational or enabling data management capabilities include, Data Governance, Data Quality Management, Master Data Management, Metadata Management, Records Management, Information Security, Data Development Management and Data Architecture Management.

While the requirements of POPI seem onerous, they also represent good business practice. If implemented correctly, complying with POPI has the potential to generate tremendous business value.

For more information on how and where POPI has an affect on your business, contact Daniella Kafouris directly!

POPI & its effects on your social media marketing

POPI and Social MediaWhat is the purpose of POPI?

The purpose of POPIProtection of Personal Information is to protect the right to privacy of the processing of personal information; and to balance the right to privacy against other rights, such as the right of access to information.

This change to the law influences email marketing and database marketing (direct marketers) because the processing of information for direct marketing is (under POPI) prohibited unless the company can gain implicit consent from the person involved.

What effect does this have on Social Media Marketing?

In essence; those practising social media marketing are already in compliance with the Protection of Personal Information Bill. At its core; the Bill says that you need to have implicit consent to contact or solicit business from those who you are in contact with. As the individuals who are engaged with you via your social channels have done so voluntarily; they have already consented to receive communication from you.

The trick with social media marketing comes when you have a social media presence that is dedicated for a specific purpose; let’s say like that of customer service; and then this channel becomes a sales channel.

The initial value proposition that you gave to those individuals who followed you has changed.

When it comes to changing the purpose of a social communications channel; the spirit of POPI now comes into play as you are no longer communicating with individuals within the area for which they originally gave you their consent and this is in direct contrast to the Protection of Personal Information Bill.

While there is a simple way for those who are following you to stop receiving your now unsolicited communication – simply unfollowing you – POPI says that the onus is on the business from which the communication originates to first gain permission from an individual first.

In short; a business who is using social media as a communication channel or customer service channel and then alters the purpose of that channel can only do so (under POPI) once everyone who follows that organisations channel has given their permission that they agree to receive a different kind of communication.

For more information around POPI and its application around social media initiatives; please contact Daniella Kafouris or Jonathan Houston.

POPI and its effects on your Technology Organisation

technology and popi

The Protection of Personal Information (“PPI”) Law provides for various legal requirements that are relatively cumbersome on organisations.  The conditions in the PPI law provide for 8 key principles that need to be adhered in all aspects of your information life cycle. Although upon first reading these conditions one would presume that these may be simple conditions to adhere to, the reality is that the practicality of operationalizing these requirements is not as easy as one may assume.

The role of PET’s (Privacy Enhancing Technologies) cannot be overstated when looking at how the PPI law  will affect your IT organisation as well as you personally.

What are privacy enhancing technologies?

Technology can assist companies’ compliance with the principles that protect individuals’ (their clients) privacy and can go even further in empowering individuals, giving them the ability to access and control information that is stored about them. These individuals can then decide how and when it will be disclosed to and used by third parties. This obviously pertains to personal information that is kept in electronic format and we must remember that the PPI law applies to personal information in soft / hard copy format.

The best protection for individuals is to ensure that their personal information is only collected where it is necessary, relevant and not excessive in nature. Traditionally privacy enhancing technologies (PETs) have been limited to ‘pseudonymisation tools’. These fancy sounding tools are software and systems that allow individuals to withhold their true identity from those operating electronic systems or providing services through them, and only reveal it when absolutely necessary.

These technologies help to minimise the information collected about individuals and include anonymous web browsers, specialist email services, and digital cash.

There is a strong view that there needs to be a wider approach to privacy enhancing technologies; and this could include:

  • encrypted biometric access systems that allow the use of a fingerprint to authenticate an individual’s identity, but do not retain the actual fingerprint;
  • secure online access for individuals to their own personal data to check its accuracy and make amendments;
  • software that allows browsers to automatically detect the privacy policy of websites and compares it to the preferences expressed by the user, highlighting any clashes; and
  • “sticky” or “omnipresent” electronic privacy policies that are attached to the information itself preventing it being used in any way that is not compatible with that policy.

What are the high-level goals of PETs

With the rollout of the PPI law; PETs are there to assist users to take one or more of the following actions related to their personal data sent to, and used by, online service providers, merchants or other users:

  • increase control over their personal data sent to, and used by, online service providers and merchants (or other online users)
  • data minimisation: minimise the personal data collected and used by service providers and merchants
  • choose the degree of anonymity (e.g. by using pseudonyms, anonymisers or anonymous data credentials)
  • achieve informed consent about giving their personal data to online service providers and merchants
  • data tracking: allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions
  • facilitate the use of their legal rights of data inspection, correction and deletion


Who is responsible?

The onus is on organisations to allow access to their users to enable them to track and examine what personal information has been stored and utilised for different activities.

Technology Philosophy

From an organisations point of view; this fundamentally changes the way in which the systems are designed. No longer can the access to personal information be taken for granted; now the rights of an individual, as pertaining to their personal information, needs to be inherently contained in the thinking; planning and design of systems.

In other words; a system designer should start from the position of trying to protect individuals’ privacy by creating or implementing PETs. To that end they should be asking some of the following questions:

  • Do I need to collect any personal data at all?
  • If so, what is the minimum needed?
  • Who will have access to which data?
  • How can accesses be controlled to allow only those which are for the purposes stated when the data was collected, and then only by those employees and processes that have an essential need?
  • Can individuals make total or partial use of the system anonymously?
  • How can I help individuals to exercise their rights securely?

As POPI comes in to law in South Africa; this will not be a theoretical discussion; but rather one with a very definite application date. As it stands as soon as The POPI Act is signed into Law; there will be a 1 year grace period within which organisations need to comply.

For more information on POPI as well as PETs; contact Daniela Kafouris or John Karageorgiou.

POPI and the effects on Direct Marketing

POPI and Social MediaDirect marketing may indeed be the bane of many a person’s life. We have more than likely all been victim to the unsolicited email or phone call; offering us money saving products or services (and usually at the most inconvenient time). There is however a silver-lining to this dark direct –marketing cloud (and it is for both the individuals as well as the direct marketers themselves).

The Protection of Personal Information (or POPI) Bill will soon be signed into law by the South African President (Jacob Zuma) and with that signature come a host compliance criteria.

What is the purpose of POPI?

The purpose of POPI is to protect the right to privacy of the processing of personal information; and to balance the right to privacy against other rights, such as the right of access to information.

This change to the law influences email marketing and database marketing (direct marketers) because the processing of information for direct marketing is (under POPI) prohibited unless the company can gain implicit consent from the person involved.

How is this good news for consumers?

As a consumer this is excellent news as now there will be specific controls and measures taken to ensure that your personal information is not abused by marketers and companies in an effort to sell you products or services that you may not necessarily have a need or a want for.

How is this good news for direct marketing?

As a direct marketer; at first glance; it may appear that there is a finite timeline to your marketing efforts; but in reality the POPI Bill does not prohibit direct marketing. POPI is rather regulating the way in which direct marketing is done in an effort to ensure that the consumer is protected.

This just means that your efforts as a direct marketer are going to have to be far more focussed and deliberate – this focus will translate into your efforts being far more successful as the pool that you are marketing to will have been reduced by taking away the irrelevant contacts. In short – POPI can help you in building a far more customer-focussed business.

Direct marketers can use the following POPI Bill implementation guide to initially check your compliance:

  • Conduct an audit of the processes used to collect, record, store, disseminate and destroy personal information.
  • Check what interventions are in place to prevent personal information from being lost or damaged, or unlawfully accessed.
  • Ensure that the purpose of the information collected in defined in the gathering and processing phases.
  • Ensure that within your process; steps are taken to notify the individual whose information is being processed and also for what purpose.

As a general rule; direct marketers should be able to accommodate data subjects’ requests to know which third parties have access to their information (this is covered in some more detail in an article covering (PETs – Privacy Enhancing Technologies being published in February.)

It is also imperative to know that ignorance of the law is no defence and to that end it is critical that you know the restrictions for sending personal information outside of South Africa as well as the general consequences of the Protection of Personal Information Bill.

For more information around POPI and its application around direct marketing initiatives; please contact Daniella Kafouris or Jonathan Houston.

Cloud Computing and PPI: Finding your bearing

getting your PPI bearings
Cloud computing is revolutionising the way IT services and resources are delivered, offering access to information anytime, anywhere and on any device. More and more organisations evaluate cloud-based solutions first before making any IT investments, as cloud computing provides flexible and cost effective resources to support business growth; enhances collaboration and deepens customer relationships at much lower cost; and accelerates IT innovation by reducing research and product development cycles. Even though the cloud market is growing at an exponential speed, the full business potential of cloud is yet to be realised and even to be understood by executives.

Cloud adoption in South Africa is still very reactive due to a number of reasons. The main reasons include large investments made in legacy systems; inadequate cloud understanding; the fear of losing control; regulatory and compliance issues; network challenges and high bandwidth costs; and security and privacy concerns. Notably, from a regulation, compliance, security and privacy perspective, the PPI (Protection of Personal Information) Law plays a large role in the decision to adopt cloud-based solutions.

The impact of PPI on cloud-based solutions

Whether you are utilising cloud-based solutions or planning to adopt cloud; it is critical to identify any personal information that will be collected, transferred, used, stored or shared between your organisation and the cloud provider and/or any other third parties. Sections 19 to 22 of the PPI Bill prescribe the security safeguards that the responsible party (your organisation) and the operator (cloud provider) need to adhere to in the processing of personal information. Responsibilities for the safeguarding of personal information include identifying internal or external risks to personal information; establishing and maintaining appropriate safeguards; regularly verifying the effectiveness of safeguards; and continually updating safeguards in response to new risks or identified deficiencies (Section 19(2)).

Section 21 of the PPI Bill specifies that if the responsible party (your organisation) requires the processing of personal information by an operator (the cloud provider), there must be a written agreement that stipulates that the cloud provider must establish and maintain safeguards to protect the integrity an confidentiality of personal information. Furthermore, chapter 9 of the PPI Bill deals with trans-border information flow, stipulating that the responsible party (your organisation) may not transfer personal information to a third party (cloud provider) who is in a foreign country unless (1) the recipient is subject to a binding agreement (upholding the requirements of safeguarding personal information); or (2) that the cloud provider are adhering to adequate in-country laws (substantially similar to the provisions in the PPI Bill).

When utilising cloud-based solutions, it is therefore important to give consideration to the following:

  • Identification and protection of personal information in the cloud (i.e. data processed in unlawful manner, inappropriately collected data, unauthorised access to personal information and intellectual property, unauthorised exposure of data at cloud location, malicious activity of co-tenant, subpoena by law enforcement (digital evidence / e-discovery)).
  • Responsibilities and liability of the cloud provider (i.e. ensuring that the agreement between your company and the cloud provider caters for the privacy and security requirements as stipulated in Section 19-22 of the PPI Bill).
  • Cross-border transfer of personal information (ensuring compliance with Chapter 9 of the PPI Bill).


How can we help you?

Let us help you make sense of your personal information in the cloud. (click on the graphic to enlarge)

 PPI in the cloud

For more information on Cloud Computing and PPI; contact Dr Mariana Carroll (Senior Manager: Deloitte Consulting) or Daniela Kafouris (Privacy Leader: Deloitte Legal).

PPI can bring benefits to those corporates which comply

JOHANNESBURG, January 26, 2012 – Saturday, 28 January 2012 marks international
Data Privacy Day. The day highlights the impact technology is having on our
privacy rights and underlines the importance of valuing and protecting personal
information. While the day is recognised internationally by business
professionals, corporate South Africa is grappling with our privacy

As South Africa’s Protection of Personal Information (PPI) Bill looms
over the county’s corporate sector, many companies are racing against time to
grasp the compliance demands of the legislation.  Unfortunately, in their haste many are
underestimating the benefits that compliance could bring to their

“The PPI Bill is a natural progression for South Africa. At its most
basic, the legislation reinforces every South African’s constitutional right to
privacy. At the other end of the scale, it brings the country into line with
most of its significant international trading partners, a factor that builds
confidence when information is transmitted across borders,” says Deloitte Legal
Director, Dean Chivers.

Looking beyond compliance, effort and cost,
there is substantial value for those implementing PPI. The value of the
corporate brand will increase with customers and business partners having more
trust in the organisations with which they do business. According to Chivers,
this customer value can translate into financial benefits.

PPI’s value for a brand is incalculable. The recent announcement that
about R41 million had been stolen by hackers infiltrating the PostBank database
illustrates perfectly the reputational and monetary loss involved when customer
information is hacked.

The recent case where Zappos in the USA was
hacked and had to notify in the region of 24 million customers of the breach
and implement preventative measures further indicates some of the potential
downside. Indeed data events like hacking, data loss, unauthorised data use,
insufficiently regulated outsourcing and cross border data transfers all
present significant value risk.

Added to this, on January 25, 2012, the
European Commission proposed increased penalties for data privacy breeches,
which envisage penalties of up to 2% of a company’s global annual turnover.

companies will need to reassess their data management process, analyse their
security, amend processes and change their contracts, companies should not look
at the PPI Bill as purely an inconvenience. Rather by aligning the requirements
of the Bill to existing projects and reporting structures, PPI can offer a
sustainable and measurable return on investment” concludes Chivers.  


Magna-Carta PR
+27(0)11 784 2598

Lana-Jane Pike
Deloitte & Touche Southern Africa
+27(0)11 209-6214

Direct marketers must comply with consumer protection legislation or face the consequences

by Candice Holland of Deloitte Legal

South Africa has seen the promulgation of numerous pieces of consumer protection legislation which imposes a number of compliance obligations on business, and there is more to come.  The Consumer Protection Act has been the most recent piece of such legislation, with the Protection of Personal Information Bill in the pipeline.

With the Consumer Protection Act, we have seen an aggressive regulator who has tackled business head on, wanting swift compliance and the issuing of consent orders where she deems necessary.  The result we have seen is businesses trying to find the balance with becoming compliant with the legislation to protect their brand and the reasonable cost of implementing such compliance measures.

With respect to the Protection of Information Bill, the measures applicable to the gathering processing, retention and destruction of information is set to be revolutionised. In addition, the Electronic Communications and Transactions Act will be touched by the looming enactment of the Protection of Personal Information Bill.  The Protection of Personal Information Bill is raising interesting challenges for business on how it will impact the way in which business should be done, particularly with respect to direct marketing.

The debate as to whether or not the Protection of Personal Information Bill will, in its final form, require all persons to opt in for direct marketing or whether an opt out system will be sufficient still rages.  Interestingly enough, all three pieces of legislation, the Consumer Protection Act, the Protection of Personal Information Bill and the Electronic Communications and Transactions Act all touch on direct marketing, this will surely become one of the most hotly debated areas of business in the near future.

All three these pieces of legislation will be further unpacked at a workshop which Deloitte is hosting on 2 November 2011 at the Deloitte Auditorium, 20 The Woodlands Office Park, Woodmead, Sandton from 07h30 to 12h15. The workshop will focus on the key CPA pending questions with our views on the interpretations, covering:

  • Case studies and recommendations on resolution
  • Consent notices issued
  • The often controversial lessons and experiences to date, and an analysis of the cases before the Commissioner

Deloitte specialists will explore the probable impacts of PPI upon current ECT regulations, as well as the impact and business implementation of PPI both locally and globally, ensuring maximum benefits for an organisation.

Delegate Rates

1 to 2 Delegates – R1750 (excl VAT) per delegate
3 or more Delegates – R1500 (excl VAT) per delegate

Click here to register

Did you find this useful? Please comment and share!

Deloitte talks about maintaining privacy and security in the cloud

This article was prepared by Daniella Kafouris of Deloitte Legal, South Africa and discusses privacy and security issues relating to cloud computing. If you have any questions or require additional information, you may contact Daniella at dkafouris@deloitte.co.za. Visit the Deloitte cloud computing website for more information on cloud computing.

How do you maintain privacy and security in the cloud?

Cloud computing has become one of the most talked about concepts in South African businesses. Privacy and security in the cloud are two of the concerns that hold many companies back from depositing their information in the cloud.

The Protection of Personal Information Bill (“PPI”) will have a significant impact on all South African organisations in terms of compliance methodologies and approaches to new business, products and services. Many South African companies are not yet PPI compliant and are engaging or wish to engage in various services (SaaS, IaaS and so on) without clarity of the future implications that pending legislation may have on their choices as well as the manner in which they engage in these services.

In terms of the 2010 IBM Global IT Risk Study, only 3% of South African companies are interested in Cloud Computing. By comparison, in China just under 40% of companies there are interested in engaging in Cloud Computing service.

There are three main privacy-related issues encountered when engaging in cloud related services:

  1. Cross-border data transfers will certainly be a significant issue due to most cloud providers hosting their cloud in another country. This will complicate matters for an organisation that will be placing various levels of personal information in a cloud. Intensive research will need to be conducted in order to ascertain the impact that cross border data transfers may have on an organisation.
  2. Security in the cloud is the next issue depending on the country one wishes to approach. For example, in the United States of America there are only certain levels of encryption permitted, due to the Patriot’s Act permitting the United States government to decrypt any information that they deem to be threat. As an alternate example, the Massachusetts Data Encryption Law 201 CMR 17.00 states that all sensitive information stored on a laptop, or in any other environment where employees or anyone else will have access, must be secured with a minimum of a password protection using at least 7 characters.
  3. Risk: Organisations need to remember that in terms of using a Public Cloud, an organisation deposits its information in the cloud but the risk does not transfer. Thus, if any information is compromised the liability remains with the organisation. The good news is that the organisation will have recourse against the cloud provider if there contract provides for it, but the bad news is that the organisation’s reputation would have already been damaged.

Many of the principles defined in PPI must form part of the legal audit performed prior to engaging in cloud related services. Thus, it is vital that prior to engaging in cloud related services an organisation must conduct research in terms of the impact that this may have on the organisation in terms of privacy compliance.

Hence, a complete legal audit and report will need to be conducted in order to ascertain the legality as well as compliance prerequisites of depositing personal information in the cloud.

Is there anything you can add to this? Your comments and feedback are welcome! Please share with your network!

Subscribe to our blog

Subscribe to our newsletter

We share topical, role specific thought ware no more than once a week.

  • Click here to subscribe
  • Download our apps

    You can keep up to date with all the thought leadership and insights posted on this blog via our mobile apps.

  • iPad
  • Nokia Ovi
  • iPhone
  • Subscribe to our RSS Feeds

    Our authors

    Meet the Deloitte Thought Leaders who have made this blog possible. You can follow their individual tweeting and get in touch via LinkedIn from this page as well.

    Meet our authors

    Switch to our mobile site