Our clients trust us with sensitive information – is their data safe and secure on the Google Cloud, and what about data sovereignty and compliance?

Cloud computing and cyber security, data protective shield. Blue cloud and padlock on a computer laptop keyboard. 3d illustration

As someone who works in cloud services, I’ve had many people query what the cloud is and whether or not their sensitive data is safe once it’s been uploaded. 

I’ve put together some answers to the questions that most frequently come up around cloud safety. If you’re considering using cloud-based services but are still a bit hesitant, this is for you.

What are cloud services?

In a nutshell, cloud computing is the delivery of computing services, like servers, storage, databases, networking, software, analytics, and AI over the internet. Having access to these resources online is much more efficient and comes with several benefits. 

One of the biggest benefits of cloud infrastructure is you only pay for the services you use, which can help you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change. This payment model also allows you to introduce greater flexibility and more innovation.

While ‘cloud services’ is the umbrella term that is frequently used, it’s important to note that there are three different models of cloud computing. 

Public cloud

Public clouds are owned and operated by third-party cloud service providers, which deliver their computing resources, like servers and storage. With a public cloud, all hardware, software, and other supporting infrastructure is owned and managed by the cloud provider. You access these services and manage your subscription via a web browser.

Private cloud

A private cloud refers to cloud computing resources used exclusively by a business. A private cloud can be physically owned and located on the company’s on-premises datacenter, or it can be hosted by third-party service providers.

Hybrid cloud

As the name suggests, hybrid clouds combine public and private clouds that are connected by technology and allow data and applications to be shared between them. By allowing data and applications to move between private and public clouds, a hybrid cloud gives your business greater flexibility, more deployment options, and helps optimise your existing infrastructure, security, and compliance.

How do they work?

Most cloud computing services fall into three broad categories or stacks, which influence how they operate: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). 

Infrastructure as a Service (IaaS)

This is the most basic category of cloud computing services. With IaaS, you rent IT infrastructure, like servers and virtual machines (VMs), storage, networks and operating systems, from a cloud provider on a pay-as-you-go basis.

Platform as a service (PaaS)

Platform as a Service refers to cloud computing services that supply an on-demand environment for developing, testing, delivering and managing software applications. PaaS is designed to make it easier for developers to quickly create web or mobile apps without worrying about setting up or managing the underlying infrastructure of servers, storage, network and databases needed for development.

Software as a Service (SaaS)

Software as a Service is a method for delivering software applications over the internet on-demand, and typically on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure, and handle any maintenance, like software upgrades and security patching. Users connect to the application over the Internet, usually with a web browser on their phone, tablet or PC.

What does this mean for data sovereignty?

In its simplest form, data sovereignty describes the legal principle that electronic information is regulated or governed by the legal regime of the country in which that data resides.

We are often asked whether cloud services are restricted under the data sovereignty provisions of the Protection of Personal Information (PoPI) Act and consequently, whether they may store data outside of South Africa.

With cloud computing, and specifically the public cloud aspect thereof, data that users generate in most instances reside on servers outside the legal or territorial border of the users’ country of residence. This means that the data of an individual becomes subject to a foreign legal regime.

Section 72 of POPI deals with transfers of personal information outside South Africa. It essentially says that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless certain protections are in place. For example, if:

  • The foreign country has a law that provides adequate protection
  • There are binding corporate rules that provide adequate protection
  • There is an agreement between the sender and the receiver that provides adequate protection
  • The data subject consents
  • The transfer is necessary for the responsible party to perform in terms of a contract

Based on these factors, PoPI does not broadly prohibit the transfer of data outside of South Africa.

However, while Section 72 does not prohibit cross-border data flows, it does move to protect personal information by enforcing the above-mentioned conditions. The responsible party needs to apply these conditions so that a data subject’s personal information remains protected as it moves offshore.

Put simply: If you use cloud services, it is likely that your information will be stored outside your country of residence. However, in South Africa, there is legislation in place to prevent non-compliant parties from moving and accessing your personal information. 

At Google Cloud, we have chosen data centres that fall under the General Data Protection Regulation (GDPR) umbrella. GDPR is a regulation enforced in EU laws around data protection and privacy in the European Union, as well as the European Economic Area.

Deep Learning Café is an AI Consulting Company based in Johannesburg. If you’d like to get in touch with us to discuss how we can help you make AI work for your business, pop us an email. You can also check out our blog here.

Christian Hagner

Christian has been in IT for over 20 years and has worked with some of South Africa's largest organisations operating in business sectors from financial to retail to mining. Christian is currently serving as the CTO for Siatik, a leading Google Premier Partner, and heads his team in creating industry-leading solutions for their customers.

Leave a Comment

Your email address will not be published. Required fields are marked *