• Subscribe   
  • Subscribe   

POPI Act - who are the role players?

POPI Act The Role Players Categories Of Data Subjects And Operators

In the first post of this series, we looked at the definition of personal information, when the POPI Act will apply, requirements for compliance and similarities and differences in relation to the GDPR. In post 2, we look at the role players, categories of data subjects and operators. 

The POPI Act applies to any organization or body that gathers, records, shares or uses the personal data of individuals or companies. The company that has ultimate control over the data it uses is called the responsible party. 

If the responsible party shares the data with any other companies to fulfill a purpose – that company is considered an operator. There are many different types of operators and a large organization, like a bank, would typically have hundreds of subcontractors that process data on their behalf. 

The party to whom the personal information belongs is called the data subject. 

Who are the POPI role players

Responsible parties

Every organization, unless it somehow survives without clients or employees, is a responsible party. This includes for-profit companies, non-profit companies, governments, state agencies and societies. 

So, basically, any entity that processes information about an individual or company is by definition a responsible party, and that means it has obligations to safeguard the information of the data subjects.

Categories of data subjects

There are different categories of data subjects that need to be considered when preparing for POPI compliance:

  • Employees – organizations collect and store information about employees, such as ID numbers and bank account details, in order to manage the employment relationship
  • Candidates – organizations need information about potential candidates, such as their employment history and credit score, in order to assess suitability for employment
  • Prospects – sales teams collect and store information about leads and prospects, such as company size and lifecycle stage, in order to sell services
  • Clients – organizations record information on their clients, such as contact details and roles, so that they can communicate and provide services
  • Suppliers – organizations store information about suppliers, such as bank details, in order to manage the supplier relationship

For service providers that process data as part of their market offering (operators), there is an additional category of data subject – these are the individuals whose data is transferred by the responsible party, so that an operator may provide a service.

Categories of operators

No business can operate entirely on its own, which means most organizations outsource at least some of their requirements to specialists.

The various categories of operators are easily understood when explained in relation to the above categories of data subjects:

  • Employment – a company might outsource certain employment functions, such as payroll processing or certain benefit schemes
  • Recruitment – a company may use recruitment agencies to source candidates and a credit bureau to provide credit reports
  • Lead generation – a company may track its sales pipeline using the leads module of a CRM system which is located in the cloud
  • Client service – the same company may use the service module of the CRM system to keep client contact details in order to provide services to them or share the details with a communications agency that manages their client communication
  • Supplier management – companies need to store information about suppliers in order to manage their creditors and may outsource debt collection to a third party

There are many different categories of operators not mentioned above, and each organization must understand when and with whom they share personal data.

Operator obligations under POPI

An interesting difference between GDPR and POPI Act is that the GDPR places direct obligations on operators (called processors) whereas the POPI Act simply says there should be a mandate in writing between the responsible party and an operator. This places immense importance on the agreements that a responsible party has with its operators.

Looking for a digital communications partner that is POPIA compliant?

By submitting your details via this form, you are consenting that we receive and store your information for the exclusive purpose of contacting you.
  • We will not share or publish your information or process it for any other reason.
  • Once your request is fulfilled, we will either delete your information or request your consent for further processing.
  • Please find additional information in our Privacy policy.
View our Terms of use | Protected by reCAPTCHA.

Stergios Saltas

Stergios Saltas

Operations Director, Africa

Stergios Saltas is Operations Director at Striata, with a focus on the Africa region.

With 20 years’ experience in the ICT industry, Stergios is responsible for guiding the strategic direction and daily operations of the African business. During his career at Striata, Stergios mastered a wide range of roles where he oversaw the management and delivery of messaging solutions.

Stergios is dedicated to understanding client needs and executing solutions with precision; ensuring that Striata products meet the highest standards of quality and functionality; while promoting the wellbeing of Striata’s valuable resources.

Read more of Sterg's blog posts here or connect with Stergios on the following social channels: