Assessing legal risks in moving to the cloud

July 16th, 2019, Published in Articles: EE Publishers, Articles: PositionIT, Featured: PositionIT

Many businesses are moving to cloud computing to reap the benefits it provides, from scalability and agility to the ability to analyse data and interpret it in such a way that can help meet client demands. However, before moving any business functions to the cloud, a business must assess legal issues that will have an impact on the ability not only to move to cloud, but to have full use of cloud services.

Wendy Tembedza

These issues relate primarily to the regulatory environment in which the business operates, which may impact a move to cloud; internal data hygiene related to compliance with data protection legislation; and ensuring that the business implements best practice in its corporate governance regarding risk mitigation.

The cloud customer will remain responsible for its own compliance requirements. As such, businesses should ensure that they understand the regulatory environment in which they operate. Certain sectors are required to comply with specific rules regarding how data is managed.

For example, in the banking sector, the Prudential Authority issued a Directive D3/2018 and related Guidance Note G5/2018 (Banking Cloud Rules) on cloud computing and the offshoring of data for banks. With the increasing adoption of the cloud, this approach may filter through to other sectors that will soon be subject to similar regulatory requirements.

To assist businesses to understand their regulatory requirements, some cloud service providers (CSP) have produced useful materials assisting businesses’ to understand the cloud offering in the context of the regulatory requirements applicable to specific sectors. Businesses should make use of such resources to understand their regulatory obligations before appointing a CSP.

In order to facilitate a move to cloud, a business should first conduct an exercise to determine what data it has (for example sensitive personal information); where the data is stored; and who has access to the data. This will help a business better understand the level of risk attached to moving any category of data to the cloud or whether it is even appropriate to move all or part of your data to the cloud.

Such an exercise will also assist a business to comply with data protection legislation such as the Protection of Personal Information Act, 2013 (POPIA) which, once fully operational, require entities that handle personal information to implement various controls regarding such personal information.

Furthermore, it will help determine whether you have in place data processing documentation to meet your data management requirements, be it a cloud computing policy, privacy policy, acceptable use policy and personal device usage policy. Importantly, any move to the cloud should be aligned with a business’ data governance framework.

Some businesses think that implementing a cloud solution is a plug-and-play exercise which absolves the business from any responsibility for how cloud services are managed. Furthermore, cloud services will not, in general, be tailored to the needs of a particular business. As such, a business will need to research various cloud offerings to ensure that the CSP meets their particular needs.

When negotiating the CSP contract, a business should use the opportunity to ask questions about the nature and extent of the cloud service. Important questions include the CSP’s contingency plan, data storage (locally or abroad), service levels, access to data and audit rights.

Established CSPs understand the importance of open communication in building trust in the cloud and are open to having discussions with businesses about various product offerings. Businesses should take advantage of this opportunity to satisfy them that a cloud service offering meets their requirements.

Send your comments to

Related Articles

  • South African Government COVID-19 Corona Virus Resource Portal
  • Ministerial determinations propose 13813 MW of new-build by IPPs, none by Eskom
  • Crunch time for South Africa’s national nuclear company, Necsa
  • Dealing with the elephant in the room that is Eskom…
  • Interview with Minerals & Energy Minister Gwede Mantashe