Start working on those operator contracts

In week 6 of our POPI DIY programme we look at what an operator is, and how to make sure you have the right operator contracts in place with yours.
In terms of POPI an operator is a person or company who processes personal information on behalf of the responsible party. POPI says the responsible party must conclude a written agreement with each of its operators.

How on earth do you meet this requirement?


  1. Make a list and check it twice

Make a list of your operators. Who do you share PI with? Think about services like your hosting service, accountant, cloud storage, couriers etc.

  1. Rate the ‘risk’ associated with the operator

If you are a medical professional, you share a list of all your patients and their health information with your software service provider. This would be a high-risk operator, because you share your patients’ sensitive health information with them and it would be a huge deal if they lose it or share it with the wrong people. An example of a low risk operator would be your accountant who would only get access to a list of names of your employees, but no access to any other information about them. If this list is compromised it wouldn’t have such a huge impact on anyone.

  1. Do you need operator contracts?

Determine with which of your operators you need to sign an operator contract. You may already have contracts in place with some of them. If you do, check that it includes the terms required by POPI (listed in point 6).

  1. Address the biggest risks first

Start with the high-risk operators and ask them about their POPI compliance. Have they done anything to ensure that they comply? If not, suggest that they speak to us or sign up for POPI DIY. If they are not willing to take steps to become compliant, and to sign your operator contract, you should start looking for a different service provider.
Remember, you will be held responsible if anything goes wrong.

  1. Draft your operator contracts

POPI says that the operator contract must include these obligations for the operator to:

  • establish and maintain adequate security measures – like those we discussed over the last few weeks of POPI DIY;
  • ensure its compliance with POPI;
  • immediately notify you if POPI’s requirements are breached – such as a security breach;
  • ensure the confidentiality of the PI; and
  • not process the PI without the knowledge or authorisation of the responsible party.
  1. Sign on the dotted line

Ask your operators to sign your operator contract. Start with those with the highest risk.
If you’d like to learn more about the requirements set by the Protection of Personal Information Act, sign-up for our next POPI workshop, or ask us about a tailor made executive awareness session where we talk to your executive team about the impact of POPI on your business. It’ll be fun!

Please Share!