In both South Africa’s Protection of Personal Information Act (POPIA) and the European Union’s General Data Protection Regulation (GDPR), there are three players that are part of any personal information transaction. They may be known by different names in each piece of law, but essentially they are the same as insofar as their responsibilities go. They form the foundation of the laws and their protections, so it is important to be familiar with them.
The Data Subject
Common in both laws is the “Data Subject”. This is the person or persons whom the data belongs to. Under the laws, this is going to concern Personal Information (PI). Personally, I prefer the definition of personal information from the Australian Privacy Act as it is clear and understandable, which is as follows:
Personal information is information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
Something key in here is the statement of “who is reasonably identifiable”, as this means that if you aggregate different pieces of information to form a profile of someone, you are indeed acting on personal information. The POPIA regulator has stated that part of their breach notification scheme is to limit this kind of aggregation as data subjects are often affected by information from multiple breaches being put together into a profile.
The Responsible Party (POPIA) or Controller (GDPR)
The Controller in GDPR or the Responsible Party in POPIA, is the “middle man” when it comes to the three players. This is the party that states exactly what is to happen to the data of the data subject, and is also the party that has the lion’s share of liability in terms of the law. Think of this party as the one who decides how the data needs to be processed and what the outcome should be. In terms of Business to Consumer, the Data Subject could very well be the Responsible Party, however in Business to Business the Data Subject could be separate with a business being the Responsible Party – particularly when handing data over to a third party, such as:
The Operator (POPIA) or Processor (GDPR)
This is the party that performs the actual processing of the Data Subject’s personal information on behalf of the responsible party. The Responsible Party and the Operator could be the same person or business, or the could be separate, such as when the operator is a 3rd party to the main business. The Operator has a joint liability with the Responsible Party in that they need to process lawfully in accordance with the Responsible Party’s needs, as well as take adequate measures to comply with the same regulation that the Responsible Party complies with.
Here are some examples of how the three parties may relate. This is by no means an exhaustive list, as every company, interaction, and business model would have a different way of defining this. You as an organisation will need to define these relationships for each activity you perform on PI.
In the above example, we see the Data Subject as the consumer, perhaps a subscriber to a mobile phone provider. The Responsible Party is then the service provider (the mobile phone provider), who outsource their market research to a 3rd party. This 3rd party then becomes the Processor, and needs to have the same protections in place as the Responsible Party in order to be processing lawfully.
In the next example, we see that the Data Subject is an employee for your company. This then squarely makes you the Responsible Party for their personal information. If you had to process your own payroll internally, you would also be the Processor, however, in this example we see that payroll has been outsourced, which makes the outsourced provider the Processor with a joint liability as per the previous example.
In the last example, we are looking from the lens of being a Software-as-a-Service (SaaS) provider. We see that the Data Subject is an employee at a client, with the client being the Responsible Party. They are the responsible party as they are instructing us (as the SaaS provider) on what to do with the personal information of the Data Subject. By us hosting the service as a provider, we are then the Processor.
How can we help?
Ross G Saunders Consulting has a network of professional providers that can assist in mapping out your data flows, responsibilities and legal liabilities. We cover all aspects of your data protection needs, and can help you in your journey to compliance with the various obligations out there. Why not reach out to Ross today for a coffee to discuss your needs and see how his network can assist you.