Under PoPIA many service providers might lose their clients
Author: Michiel Jonker
Who carries the responsibility for an organisation’s data security?
The challenge of implementing privacy regulations, as required by PoPIA (Protection of Personal Information Act), carries with it a degree of panic. There are professionals that argue that the implementation processes are quite simple, others, again, find it less concrete, and consequently, warn against underestimating the Act’s requirements. As legislation stands, the penalty imposed for malpractice, whether intentional or not, is steep: a R10 million fine, or a 10-year prison sentence might be incurred.
The CEO/Managing Director/Owner of a business takes full accountability and responsibility for the data security of said organisation. S/he has been designated the position of Information (Data Privacy) Officer, by default, according to the Act. Even though the CEO may appoint (delegate responsibility to) a subordinate or two to assist with implementation and monitoring, the pressure to produce a 100% foolproof environment, let alone, maintain it, is immense. The CEO is still accountable, even though responsibility has been delegated.
What complicates things further, according to Michiel Jonker, director at Futura International (and former partner at two multi-national audit firms), is that it is common practice these days for businesses to outsource specific tasks to third parties (service providers (also called service organisations)). By implication, when data processing tasks or any other organisational functions (or even IT infrastructure) are outsourced, part of the business’ internal control system is extended to, and falls within, the ambit of the service provider.
In other words, for the business to account for sound corporate and IT governance, both the business and the service organisation must implement adequate and effective internal control systems to protect personal data.
However, the business is ultimately still accountable to ensure that the service organisation takes responsibility for the operational effectiveness of their part of the internal control system (i.e., their data privacy practices and data security).
Service Level Agreements (SLAs): right to audit clause
This brings us to the second point. PoPIA is clear that an SLA is the main control measure for a business to enforce data privacy compliance by their service providers.
With PoPIA now effective, over and above the inclusion of performance requirements, a business has to define minimum (IT) security and data privacy compliance standards in their SLAs with their service providers. The objective of the “right to audit” OR the “right to receive an independent assurance report” clause is to allow the business (also called the “Responsible Party” by PoPIA) the right to obtain (at least annually) assurance that their service providers do comply with their data privacy standards (e.g., compliance with their relevant data privacy policies, procedures, and standards).
We predict that in the future service providers (also called “Operators” by PoPIA) might be requested to provide their corporate clients with an annual independent assurance report, expressing an audit opinion on the status of their privacy practices and controls. Outside the USA, this audit opinion can be expressed and issued under the “International Standard on Assurance Engagements (ISAE)” – which is the ISAE 3000: “Assurance Engagements Other Than Audits or Reviews of Historical Financial Information”. (This standard has been issued by the International Auditing and Assurance Standards Board (IAASB)).
However, we expect that some Responsible Parties might rather insist on a SOC 2 report. The SOC 2 report is also an independent, annual, assurance report by an audit firm, expressing an audit opinion on a service organisation’s internal control (and in a SOC 2 scenario, internal control over IT security, data and system availability, data privacy, data confidentiality, and processing integrity). This might be unavoidable, as PoPIA requires organisations to ensure that their service providers comply with best practices. Outside the USA, the SOC 2 audit opinion can also be expressed under the ISAE 3000 audit standard, but by using the “Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy”, as set forth in the TSP section 100, 2017 (updated March 2020), as a framework. (TSP 100 was established by AICPA (AICPA is the American Institute of Certified Public Accountants.))
Responsible Parties might therefore decide to request either an ISAE 3000 or SOC 2 report, covering at least the security, availability, and privacy principles. In cases where the Responsible Party is concerned about their own data (i.e., the legal entity’s data), like the protection of their intellectual property (which comes in different shapes and forms), they might also insist that the report covers the confidentiality principle.
It is also important to note that without proper IT security, privacy is non-existing. Because most data are today in an automated form, IT and cybersecurity have become critical to achieve data privacy objectives. Security is the foundation of data privacy.
As mentioned above, the SOC 2 covers security, availability, processing integrity, confidentiality, and privacy controls. However, SOC 2 also covers some COSO (The Committee of Sponsoring Organizations of the Treadway Commission) “points of focus”, in addition to the trust services criteria of security, availability, processing integrity, confidentiality, and privacy. These points of focus represent important characteristics laid out by the trust services criteria. They address design, implementation, and operational control procedures over security, availability, processing integrity, confidentiality, and privacy.
To obtain a SOC 2 report, a service organisation has the option to choose from the five principles – the management of the organisation may choose to be audited on all five principles or just one, two, three or four principles, namely:
- the security principle addresses all logical and physical security controls;
- the availability principle covers all data and system controls ensuring the availability of data and systems to legitimate users (e.g., backups, data replication and disaster recovery controls);
- the confidentiality principle is all about controls related to the protection of the user entity’s intellectual property information (handled by the service organisation);
- the privacy principle, unlike the confidentiality principle, relates to the controls ensuring the protection of a private individual’s personal data; and
- the processing integrity principle addresses the service organisation’s business process and application controls, ensuring data integrity (i.e., the completeness, accuracy, and validity of processed data).
In a survey conducted by WorldWideWorx on behalf of Zoho, a global tech company, only 57% of South African companies implement policies to protect customer data. It therefore becomes clear why the Authority demands the assurance provided by the SOC 2 report. Service organisations simply won’t have a choice, if they want to keep their clients.
And, a last concern to be addressed… (yes, it ain’t over till the fat lady sings)… some service providers are concerned about the time and effort that it would take to undergo an ISAE 3000 or SOC 2 audit. Although the first year could take some effort to pass an ISAE 3000 or SOC 2 audit, it would be far easier in the subsequent years… in any case, to avoid a stampede of auditors, all of them wanting to come and audit you as a service organisation, it would be far more efficient to obtain one annual report (from one firm), than entertaining multiple clients’ auditors.