POPI Act - who are the role players?
In the first post of this series, we looked at the definition of personal information, when the POPI Act will apply, requirements for compliance and similarities and differences in relation to the GDPR. In post 2, we look at the role players, categories of data subjects and operators.
The POPI Act applies to any organization or body that gathers, records, shares or uses the personal data of individuals or companies. The company that has ultimate control over the data it uses is called the responsible party.
If the responsible party shares the data with any other companies to fulfill a purpose – that company is considered an operator. There are many different types of operators and a large organization, like a bank, would typically have hundreds of subcontractors that process data on their behalf.
The party to whom the personal information belongs is called the data subject.
Every organization, unless it somehow survives without clients or employees, is a responsible party. This includes for-profit companies, non-profit companies, governments, state agencies and societies.
So, basically, any entity that processes information about an individual or company is by definition a responsible party, and that means it has obligations to safeguard the information of the data subjects.
Categories of data subjects
There are different categories of data subjects that need to be considered when preparing for POPI compliance:
- Employees – organizations collect and store information about employees, such as ID numbers and bank account details, in order to manage the employment relationship
- Candidates – organizations need information about potential candidates, such as their employment history and credit score, in order to assess suitability for employment
- Prospects – sales teams collect and store information about leads and prospects, such as company size and lifecycle stage, in order to sell services
- Clients – organizations record information on their clients, such as contact details and roles, so that they can communicate and provide services
- Suppliers – organizations store information about suppliers, such as bank details, in order to manage the supplier relationship
For service providers that process data as part of their market offering (operators), there is an additional category of data subject – these are the individuals whose data is transferred by the responsible party, so that an operator may provide a service.
Categories of operators
No business can operate entirely on its own, which means most organizations outsource at least some of their requirements to specialists.
The various categories of operators are easily understood when explained in relation to the above categories of data subjects:
- Employment – a company might outsource certain employment functions, such as payroll processing or certain benefit schemes
- Recruitment – a company may use recruitment agencies to source candidates and a credit bureau to provide credit reports
- Lead generation – a company may track its sales pipeline using the leads module of a CRM system which is located in the cloud
- Client service – the same company may use the service module of the CRM system to keep client contact details in order to provide services to them or share the details with a communications agency that manages their client communication
- Supplier management – companies need to store information about suppliers in order to manage their creditors and may outsource debt collection to a third party
There are many different categories of operators not mentioned above, and each organization must understand when and with whom they share personal data.
Operator obligations under POPI
An interesting difference between GDPR and POPI Act is that the GDPR places direct obligations on operators (called processors) whereas the POPI Act simply says there should be a mandate in writing between the responsible party and an operator. This places immense importance on the agreements that a responsible party has with its operators.