Do you need a responsibility assessment in terms of your relevant data protection law (such as the POPI Act in South Africa or the Data Protection Act in the UK)?

‘Responsibility’ means having a duty to handle something. When it comes to data protection laws, responsibility matters. It matters because for any activity where two or more people process personal information – the relevant data protection law generally makes one person responsible for what the other person does. The responsible person is called the ‘responsible party’ or ‘data controller’ and the other person is called the ‘operator’ or ‘data processor’. Which one are you? Do you know? It is important to know because the responsible party or data controller carries the bulk of the liability for failing to comply with the relevant data protection law, while the operator or data processor gets off much lighter.

We can help you work out who you are by providing you with an assessment to determine who is the responsible party or data controller and who is the operator or data processor.

Why does responsibility matter?

Responsibility matters under data protection legislation because the responsible party or data controller bears the lion’s share of having to comply. For example, the responsible party or data controller must:

  • satisfy the eight conditions to lawfully process personal information; and
  • enter into a written agreement with the operator or data processor.

While the operator or data processor need only:

  • secure the personal information under their control; and
  • follow the responsible party or data controller’s instructions.

You need to know who the responsible party or data controller is and who the operator or data processor is so that all parties can comply with the relevant data protection law. If you don’t know who’s who in the zoo or you get it wrong, very bad things can happen.

How do you work out who is responsible?

You can work out who is responsible in a particular activity where people are processing personal information by understanding the people involved and their relationship to each other.

The people involved will generally either be:

  • the responsible party or data controller – the person who decides on the purpose or reason for processing the personal information; or
  • the operator or data processor – the person who processes the personal information on behalf of a responsible party or data controller, but without being directly controlled by them.

But, when it comes to your organisation – who is responsible for data protection in your relationships?

What is a responsibility assessment?

We can provide you with an assessment to determine who is the responsible party and who is the operator.

A responsibility assessment is a written document that:

  • gives you a concise assessment up front as to which party is likely the responsible party or data controller and which party is the operator or data processor;
  • helps you understand a particular activity where you process personal information in terms of POPI by breaking it down in detail;
  • identifies the parties to the activity so that you can determine where responsibility for complying with POPI lies between them;
  • explains the relevant sections of POPI to determine who the responsible party or data controller and operator or data processor are;
  • draws parallels with relevant foreign data protection laws and uses arguments based on them where appropriate;
  • determines whether the relationship between the parties is one of authority, liberty, or equality; and
  • is something that you can show to the relevant regulator to back up your decision to behave like the responsible party or data controller or the operator or data processor.

Interested?

If you are interested, please complete the form on the right or email us. We will contact you to find out more about your requirements.