Let’s chat about POPIA risk assessments. Recently, I’ve interacted with a few people who have decided not to conduct third-party risk assessments because, in their words, “POPIA doesn’t explicitly say you must do so”.

Okay, sure. If you interpret POPIA narrowly, you can reach that conclusion. But the conclusion doesn’t make legal, commercial, or technical sense. And it may even attract a fine from the Regulator. More about these points later. For now, I need you to be mindful that there is a smarter approach to managing the POPIA risks of your third parties.

This post is for responsible parties who are grappling with the decision of whether to conduct third-party risk assessments. In the end, you’ll be able to decide what approach to take. However, if you don’t want to read that far, the gist is that we recommend you conduct these assessments to protect your interests.

Third-party risk assessments

Many names

There are many names for third-party risk assessments, including:

  • vendor risk assessments,
  • vendor due diligence assessments, &
  • vendor risk reviews.

I prefer the term “third-party risk assessments” because it covers different third parties; for example, vendors, service providers, software providers, and other suppliers.

Why do they exist?

To assess the risks of third parties so you can decide whether to do business with them.

How do they work?

Risk assessments are usually in the format of a document (like an MS Excel spreadsheet) or a software form.

Typically, you would send the assessment to a third party and tell them to complete it within a time frame. They will then fill in information about their organisation, such as their commercial details. They’ll also describe how they secure information and list the privacy measures they have in place. It’s also common practice to ask whether an organisation complies with information security standards like ISO 27701.

Focusing on data protection

A significant part of the assessment relates to how the third party protects personal information. For example, it may ask the following questions:

  1. Do you have a privacy policy?
  2. Have you trained your staff on how to protect personal information?
  3. How many data breaches or security compromises have you experienced in the past 3 years?
  4. Do you have an information security policy and incident response procedures in place?

POPIA risk assessments

Interpreting POPIA narrowly

If you interpret POPIA narrowly, you’d be right to argue it doesn’t specifically tell you to conduct risk assessments on third parties.

But POPIA is not a rules-based law; it doesn’t say, “You must comply with the law by doing X”. Instead, it’s a condition or principle-based law. You can see this from that the fact that POPIA sets out 8 conditions for processing personal information.

Your obligations as a responsible party

As a responsible party, you must comply with POPIA’s eight conditions. This responsibility extends to your relationship with your operators—third parties you engage to help you process personal information. The question becomes: how do you assess whether your operators (third parties) comply with the conditions of processing personal information lawfully? Industry best practice is to conduct due diligence on the third party.

So how do you perform due diligence on a third party? Through a third-party risk assessment. Afterwards, you’d sign a data processing agreement with the third party that captures the obligations you expect of them and incorporates the risk assessment answers.

Still not convinced?

Accounting to Regulator

If something goes wrong, say, for instance, your third party experiences a data breach. Effectively, this means you experienced a data breach, so you report it to the Regulator, and the Regulator has questions. POPIA sets out the criteria the Regulator must use to evaluate whether it should fine you. For example, section 109(3)(g) of the POPIA says: “When determining an appropriate fine, the Regulator must consider…any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information” (my emphasis).

If you don’t meet that criterion, it’s likely you could be fined.

The final word

So, to assess the POPIA risks of your third parties, it would be foolhardy not to conduct a risk assessment. Please don’t be the person that wisdom chases but never catches.

Actions you can take

  • Manage your third-party relationships in compliance with POPIA by asking us to review your third-party risk assessments.
  • Streamline your third-party risk assessments by asking us to help you evaluate the best software solutions out there.
  • Manage your data protection relationships with third parties by asking us to draft a data processing agreement for you.