POPIA
DIY

WEEK 6:
What are operators, and do you have them?

This week we will answer the following questions:

  • What is an operator?
  • Do you have operators?
  • How can you ensure that your operators keep your Personal Information (PI) safe?

Let’s think about this practically. The moment you give a service provider access to the PI that you are responsible for, you lose control over how it is processed.

For example, if you use a service to send your newsletter to a mailing list, you hand over your mailing list to that service provider. What else might they be doing with your list? Do you know?

The POPIA distinguishes between a ‘responsible party’ and an ‘operator’.
 
Responsible party: This is the person or company who decides what PI is processed and what it is used for. The word ‘processing’ includes anything that is done with PI , for example collecting, updating, transmitting, deleting, and even just storing it.
 
Operator: This is a person or company who processes PI on the instruction of the responsible party.
 
You will be the responsible party when it comes to your customers’ and your employees’ PI. This means that (you guessed it) you are responsible for everything that happens with the PI, even if you outsource some tasks like storing the PI.

DO YOU USE OPERATORS?

Let’s return to your workbook and the Customer PI and HR PI tabs. Try to complete all the fields, especially the column dedicated to third parties who have access to your PI.

And just like that you have your list of operators.
Now what?

YOU NEED CONTRACTS

The POPIA says you must conclude written agreements with your operators with certain obligations. In terms of these agreements the operators must

  • establish and maintain adequate security measures – like those we discussed over the last few weeks,
  • ensure their compliance with the POPIA,
  • immediately notify you if the POPIA’s requirements are breached – such as a security breach,
  • ensure the confidentiality of the PI, and
  • not process the PI without the knowledge or authorisation of the responsible party.

Follow these easy steps to get your operator contracts in place.

Remember that you must tell your customers what type of operators you use to process their PI in your privacy notice. For example, if you share their contact details with your accountant.

Remember that you have a free one-hour consultation included with this programme!
Use it, and contact us if you have any questions about this week’s topic.