POPIA and Vendor Management

POPIA (protection of Personal Information Act,2013) is a beautiful creature of legislature designed to align South Africa with International data privacy laws and good business practice.

POPIA is NOT the enemy that we perceive it to be in that compliance with POPIA will not just save you in fines and penalties but the cost of losing clients and the reputational damage as no one wants to do business with a company or person that does not value the consumers personal information.

All this being said much focus has been placed on section 17 of POPIA which relates to documentation. A responsible party must maintain the documentation of all processing operations under its responsibility. This has resulted in an outbreak of POPIA Policies and Procedures documents floating all over the media and websites and indeed this is all required and must be in place however let us also remember that section 20 and 21 of POPIA governs the relationship that the Responsible party (Process the personal information) has with an Operator (Processes the personal information but does so in terms of a mandate with the Responsible Party) as defined in POPIA.

Once you have survived the identity crisis and the shifting of blame game that goes on in a business relationship the next step after you take ownership of your position as a Responsible Party in the relationship of processing personal information is to ensure that a ‘written agreement’ is in place which outlines the requirements of POPIA with the obligations and responsibilities of both parties to the contract.

Whilst POPIA is clear that in the event of a data breach or complaint from a data subject the Responsible Party will be held accountable by the Information Regulator the Responsible Party may in terms of the written agreement hold the Operator liable in a civil liability claim.

Globally and locally the trend is to include a Data Processing Agreement to govern the relationship between the Responsible Party and The
Operator. POPIA refers to this arrangement as a ‘Written agreement’. Whatever you may choose to call it in terms of POPIA the aim or the purpose is that the responsible party must:

1. Ensure that the operator maintains the security measures referred to in section 19 of POPIA.
2. Conclude a written agreement with the operator, which requires the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.

In the build up to the POPIA deadline that is looming there has been an outbreak of DPA (Data Processing Agreements) being issued and in most instances the parties have not correctly identified the role that they play in the business relationship but in a frenzy are rolling out 10 pages of lengthy, wordy contracts to tick this compliance box.

This ‘one size fits all approach’ will not work nor is it a practical approach and your efforts will only result in a frustrated third-party service provider. A written agreement that incorporates the items mentioned under 19,20 and 21 of POPIA is all what is required to govern and manage the business relationship between the Responsible Party and the Operator, and one needs to apply their mind to the current business relationship with the third-party service provider in order to practically apply a roll out that is reasonable and applicable to the nature and activity of the business relationship.

A Vendor Management program is crucial to this POPIA roll out in assisting your organization to effectively managing compliance of POPIA with the Responsible Party’s suppliers, third party service providers and/or vendors where personal information is processed in terms of POPIA.