Intelligent CIO Africa Issue 114 | Page 40

FEATURE
Selecting a provider based solely on price or convenience, without properly interrogating compliance commitments, creates unnecessary risk.
This changing landscape is also influencing how companies purchase cloud services. The Protection of Personal Information Act( PoPIA) has fundamentally altered procurement discussions. When evaluating local cloud providers, compliance teams now sit alongside technical, commercial and executive stakeholders.
Importantly, PoPIA places accountability on the organisation, not the cloud provider. While providers play a critical role in securing infrastructure and protecting workloads, businesses remain responsible for ensuring that personal information is processed lawfully and in accordance with regulatory requirements.
“ Selecting a provider based solely on price or convenience, without properly interrogating compliance commitments, creates unnecessary risk,” Haasbroek warned.
The Information Regulator has also made it clear that enforcement activity is increasing, making documented answers to key questions around sovereignty, security and governance more important than ever. Simply stating that a cloud provider was trusted will not be an adequate defence if a breach were to occur.
Good sovereign cloud governance ultimately requires an ongoing commitment rather than being considered as a one-time tick box exercise. It begins with understanding which data and workloads require stricter protection, supported by a clear classification framework, robust contracts and strong technical controls. Organisations should also maintain independent audit rights and regularly validate that providers continue to deliver on their contractual commitments.
At the same time, cloud providers must ensure transparency around infrastructure management, security controls and incident response processes. Sovereignty works best when it is treated as a shared responsibility, with providers securing the infrastructure and customers actively governing how their information is managed and protected.
As AI becomes more deeply embedded in business operations, sovereignty will be defined less by where data resides and more by who controls it, how it is used and who is accountable for it. According to Haasbroek, organisations that ask the right questions today, and can demonstrate genuine control over their data environments, will be far better positioned to navigate the regulatory, operational and governance challenges that lie ahead. •
40
INTELLIGENT CIO AFRICA www. intelligentcio. com