Get the right operator contracts in place in 6 simple steps

  • Start working on those operator contracts

In week 6 of our POPI DIY programme we look at what an operator is, and how to make sure you have the right operator contracts in place with yours.
In terms of POPI an operator is a person or company who processes personal information on behalf of the responsible party. POPI says the responsible party must conclude a written agreement with each of its operators.

How on earth do you meet this requirement?


  1. Make a list and check it twice

Make a list of your operators. Who do you share PI with? Think about services like your hosting service, accountant, cloud storage, couriers etc.

  1. Rate the ‘risk’ associated with the operator

If you are a medical professional, you share a list of all your patients and their health information with your software service provider. This would be a high-risk operator, because you share your patients’ sensitive health information with them and it would be a huge deal if they lose it or share it with the wrong people. An example of a low risk operator would be your accountant who would only get access to a list of names of your employees, but no access to any other information about them. If this list is compromised it wouldn’t have such a huge impact on anyone.

  1. Do you need operator contracts?

Determine with which of your operators you need to sign an operator contract. You may already have contracts in place with some of them. If you do, check that it includes the terms required by POPI (listed in point 6).

  1. Address the biggest risks first

Start with the high-risk operators and ask them about their POPI compliance. Have they done anything to ensure that they comply? If not, suggest that they speak to us or sign up for POPI DIY. If they are not willing to take steps to become compliant, and to sign your operator contract, you should start looking for a different service provider.
Remember, you will be held responsible if anything goes wrong.

  1. Draft your operator contracts

POPI says that the operator contract must include these obligations for the operator to:

  • establish and maintain adequate security measures – like those we discussed over the last few weeks of POPI DIY;
  • ensure its compliance with POPI;
  • immediately notify you if POPI’s requirements are breached – such as a security breach;
  • ensure the confidentiality of the PI; and
  • not process the PI without the knowledge or authorisation of the responsible party.
  1. Sign on the dotted line

Ask your operators to sign your operator contract. Start with those with the highest risk.
If you’d like to learn more about the requirements set by the Protection of Personal Information Act, sign-up for our next POPI workshop, or ask us about a tailor made executive awareness session where we talk to your executive team about the impact of POPI on your business. It’ll be fun!

About the Author:

Ilze Luttig Hattingh
Ilze is what can only be described as a common sense attorney (the Force is strong with her). She specialises in regulatory compliance, risk management and commercial contract law. She joined us in the beginning of 2016 when she got a bit tired of being an in-house legal advisor. Now she is an out-house legal advisor (she gets stuff sorted out). She finds simple, innovative and business-oriented solutions to compliance management problems. Ilze doesn’t write books, she reads them. Ilze likes the wind in her face when she is riding her bike or travelling the world. She’d love to learn how to make bread, Limoncello and a beautiful Bordeaux blend, and how to paint with oils. She also caught Elizabeth’s Lego bug (come to our offices and you will see). She dislikes people who use jargon like ‘big rocks’, ‘on-boarding’ and ‘this speaks to’. Paul often ‘puts things to her’ just for the reaction. She HATES tomatoes. Want to find out more about Ilze? Take a look at her LinkedIn profile, better yet contact her on or (021) 481 1827.