You are responsible for the way in which the 3rd party processes the data, what they do with it and their security!
We have just had the opportunity to work with a flagship South African company on their POPI Gap Analysis. The management and staff were approachable, transparent and very honest about the state of their data. This allowed for a clear report with defined gaps and recommendations; and has created a space in which we can plan their compliance implementation.
Our gap analysis consisted of a half day workshop with all business units, individual interviews (where needed), and understanding their culture and real modus operandi. This particular organisation has a strong focus on customer privacy, which is commendable! They have, however, like many other companies world-wide, not followed that mindset through with their suppliers, partners, intermediaries and other 3rd parties. This has created a void legally, operationally, and undermined their accountability.
It is imperative to understand that you, as a company, frequently partner with 3rd parties to assist with some processing requirements. Outsourcing is common-place and healthy, as long as it is controlled effectively. Often, an organisation will look at non-disclosures, restraints of trade, and sew up the financials tight as a button… but they lose sight of the rights of what POPI calls the ‘data subjects’. See the full text of the Act here.
When sharing personal information with 3rd parties, your organisation remains responsible for the data. In effect, you are now also responsible for the way in which the 3rd party processes the data, what they do with it and their security. The correct way to handle this is to ensure that all policies, processes, and agreements are updated with the necessary Privacy clauses; to ensure an assessment of all 3rd parties is done upfront and periodically throughout the relationship; and to ensure that 3rd party employees take Privacy as seriously as you yourself do.
This is easy enough to do, and is a combination of tools, controls, and a Privacy-by-Design mindset.
Are you POPI compliant? Give us a shout if you want to check your own compliance, or if you need assistance in planning or implementing your POPI compliance… We have experienced consultants, we have a proven track record with our tested methodology. We offer you a no-nonsense open POPI Compliance partnership – where you need it, when you need it….
Data Privacy is the future….