Deloitte SA Blog

JOHANNESBURG, January 26, 2012 – Saturday, 28 January 2012 marks international
Data Privacy Day. The day highlights the impact technology is having on our
privacy rights and underlines the importance of valuing and protecting personal
information. While the day is recognised internationally by business
professionals, corporate South Africa is grappling with our privacy
legislation.

As South Africa’s Protection of Personal Information (PPI) Bill looms
over the county’s corporate sector, many companies are racing against time to
grasp the compliance demands of the legislation.  Unfortunately, in their haste many are
underestimating the benefits that compliance could bring to their
operations.

“The PPI Bill is a natural progression for South Africa. At its most
basic, the legislation reinforces every South African’s constitutional right to
privacy. At the other end of the scale, it brings the country into line with
most of its significant international trading partners, a factor that builds
confidence when information is transmitted across borders,” says Deloitte Legal
Director, Dean Chivers.

Looking beyond compliance, effort and cost,
there is substantial value for those implementing PPI. The value of the
corporate brand will increase with customers and business partners having more
trust in the organisations with which they do business. According to Chivers,
this customer value can translate into financial benefits.

PPI’s value for a brand is incalculable. The recent announcement that
about R41 million had been stolen by hackers infiltrating the PostBank database
illustrates perfectly the reputational and monetary loss involved when customer
information is hacked.

The recent case where Zappos in the USA was
hacked and had to notify in the region of 24 million customers of the breach
and implement preventative measures further indicates some of the potential
downside. Indeed data events like hacking, data loss, unauthorised data use,
insufficiently regulated outsourcing and cross border data transfers all
present significant value risk.

Added to this, on January 25, 2012, the
European Commission proposed increased penalties for data privacy breeches,
which envisage penalties of up to 2% of a company’s global annual turnover.

“While
companies will need to reassess their data management process, analyse their
security, amend processes and change their contracts, companies should not look
at the PPI Bill as purely an inconvenience. Rather by aligning the requirements
of the Bill to existing projects and reporting structures, PPI can offer a
sustainable and measurable return on investment” concludes Chivers.  

Contact:

Luleka
Mtongana
Magna-Carta PR
+27(0)11 784 2598
Luleka@Magna-carta.co.za

Lana-Jane Pike
External
Communication
Deloitte & Touche Southern Africa
+27(0)11 209-6214
lpike@deloitte.co.za

by Candice Holland of Deloitte Legal

South Africa has seen the promulgation of numerous pieces of consumer protection legislation which imposes a number of compliance obligations on business, and there is more to come.  The Consumer Protection Act has been the most recent piece of such legislation, with the Protection of Personal Information Bill in the pipeline.

With the Consumer Protection Act, we have seen an aggressive regulator who has tackled business head on, wanting swift compliance and the issuing of consent orders where she deems necessary.  The result we have seen is businesses trying to find the balance with becoming compliant with the legislation to protect their brand and the reasonable cost of implementing such compliance measures.

With respect to the Protection of Information Bill, the measures applicable to the gathering processing, retention and destruction of information is set to be revolutionised. In addition, the Electronic Communications and Transactions Act will be touched by the looming enactment of the Protection of Personal Information Bill.  The Protection of Personal Information Bill is raising interesting challenges for business on how it will impact the way in which business should be done, particularly with respect to direct marketing.

The debate as to whether or not the Protection of Personal Information Bill will, in its final form, require all persons to opt in for direct marketing or whether an opt out system will be sufficient still rages.  Interestingly enough, all three pieces of legislation, the Consumer Protection Act, the Protection of Personal Information Bill and the Electronic Communications and Transactions Act all touch on direct marketing, this will surely become one of the most hotly debated areas of business in the near future.

All three these pieces of legislation will be further unpacked at a workshop which Deloitte is hosting on 2 November 2011 at the Deloitte Auditorium, 20 The Woodlands Office Park, Woodmead, Sandton from 07h30 to 12h15. The workshop will focus on the key CPA pending questions with our views on the interpretations, covering:

• Case studies and recommendations on resolution
• Consent notices issued
• The often controversial lessons and experiences to date, and an analysis of the cases before the Commissioner

Deloitte specialists will explore the probable impacts of PPI upon current ECT regulations, as well as the impact and business implementation of PPI both locally and globally, ensuring maximum benefits for an organisation.

Delegate Rates

1 to 2 Delegates – R1750 (excl VAT) per delegate
3 or more Delegates – R1500 (excl VAT) per delegate

Click here to register

Did you find this useful? Please comment and share!

This article was prepared by Daniella Kafouris of Deloitte Legal, South Africa and discusses privacy and security issues relating to cloud computing. If you have any questions or require additional information, you may contact Daniella at dkafouris@deloitte.co.za. Visit the Deloitte cloud computing website for more information on cloud computing.

How do you maintain privacy and security in the cloud?

Cloud computing has become one of the most talked about concepts in South African businesses. Privacy and security in the cloud are two of the concerns that hold many companies back from depositing their information in the cloud.

The Protection of Personal Information Bill (“PPI”) will have a significant impact on all South African organisations in terms of compliance methodologies and approaches to new business, products and services. Many South African companies are not yet PPI compliant and are engaging or wish to engage in various services (SaaS, IaaS and so on) without clarity of the future implications that pending legislation may have on their choices as well as the manner in which they engage in these services.

In terms of the 2010 IBM Global IT Risk Study, only 3% of South African companies are interested in Cloud Computing. By comparison, in China just under 40% of companies there are interested in engaging in Cloud Computing service.

There are three main privacy-related issues encountered when engaging in cloud related services:

1. Cross-border data transfers will certainly be a significant issue due to most cloud providers hosting their cloud in another country. This will complicate matters for an organisation that will be placing various levels of personal information in a cloud. Intensive research will need to be conducted in order to ascertain the impact that cross border data transfers may have on an organisation.
2. Security in the cloud is the next issue depending on the country one wishes to approach. For example, in the United States of America there are only certain levels of encryption permitted, due to the Patriot’s Act permitting the United States government to decrypt any information that they deem to be threat. As an alternate example, the Massachusetts Data Encryption Law 201 CMR 17.00 states that all sensitive information stored on a laptop, or in any other environment where employees or anyone else will have access, must be secured with a minimum of a password protection using at least 7 characters.
3. Risk: Organisations need to remember that in terms of using a Public Cloud, an organisation deposits its information in the cloud but the risk does not transfer. Thus, if any information is compromised the liability remains with the organisation. The good news is that the organisation will have recourse against the cloud provider if there contract provides for it, but the bad news is that the organisation’s reputation would have already been damaged.

Many of the principles defined in PPI must form part of the legal audit performed prior to engaging in cloud related services. Thus, it is vital that prior to engaging in cloud related services an organisation must conduct research in terms of the impact that this may have on the organisation in terms of privacy compliance.

Hence, a complete legal audit and report will need to be conducted in order to ascertain the legality as well as compliance prerequisites of depositing personal information in the cloud.

Is there anything you can add to this? Your comments and feedback are welcome! Please share with your network!