We all have service providers of some shape or form in our businesses, be they outsourced payroll, accounting, IT, printing, HR, or any other number of services you need in your day-to-day operation. Under data protection laws such as POPIA, there is a defined relationship between yourselves and your suppliers, in terms of a Responsible Party (you) and an Operator (your service provider). You may also be a service provider to other businesses, in which case the responsibilities change again. Either way, within these relationships there is an obligation to ensure that you each party is vetted to be doing what they should be doing in terms of data. Something I’m seeing more frequently is that companies are becoming aware of this and are asking, very haphazardly, for this information from their providers, most frequently in the form of the (very) vague question “Are you POPIA compliant?”.

This question does not actually help anyone on either side. Firstly, compliance is a journey – I’m hesitant to use the absolute term of compliant, I prefer instead to talk about whether a compliance programme is in place. Secondly, the question doesn’t give you anything tangible to work with to actually satisfy your requirements as a Responsible Party. For this, I’ve put in some of the questions that I would ask of suppliers to judge their level of compliance

Do you have any supporting documentation around POPIA?

If companies have been working towards POPIA or GDPR, they may have a short description of what they have put in place as part of their programme. This document may provide guidance on what policies they have in place, the controls used, and what they do with data. Where you have ongoing contracts that are already in place, this is often a great first port of call to see what can be proactively provided to you in support of the obligations you have in the Responsible Party / Operator relationship.

Do you have any annexures/addendums to our contracts?

It may be a case that they have not got set documentation that they send out, but instead there are annexures/addendums that have been drafted for contracts where requested. There may even be an additional “Data Processing Agreement” (DPA) that you can sign with the provider. These contracts can quite clearly lay out responsibilities for who needs to do what, and clearly outlines things like assistance in terms of breach, data sharing (very important), and retention periods. Ideally, this is where you want to be – with watertight agreements.

Do you have an Information Officer?

If neither of the above can be provided, start asking questions around the Information Officer. By default, the Information Officer will be the head of the company (whether they like it or not) unless they have delegated the role to someone else. Chatting to the Information Officer will go a long way to seeing whether the company has any programme in place and what they are doing within it. If they do not have an Information Officer, or have no idea what you are talking about, this would be the time that you raise a very serious red flag.

What policies do you have in place?

Once you’ve spoken to the IO, it’s time to get confirmation of what policies they have internally that relate to data protection. This could be a Data Protection Policy, or an IT Policy, or an IT Security Policy. The names and types of policy vary. At the minimum, you want to see a robust Privacy Policy for external companies, and a supporting document internally that fleshes out how the obligations in the Privacy Policy are achieved. These documents form part of the first principle of “Accountability”.

What technical controls are in place?

Operations need to match policy, though sometimes operations will be ahead of policy – particularly in smaller, more agile (and less regulated) companies. Getting a list of technical controls such as firewalls, access control, systems in use, authentication methods and so forth will go a long way to satisfying you about how seriously a company takes information. Again though, these only really hit one aspect of POPIA (Security Safeguards) and should not be relied on to presume that a compliance programme is in place. It is, however, a vitally important step and can be a stop-gap while the supplier gets the rest of their house in order.


While many small businesses are only coming to grips with this now, enterprise businesses such as banks and insurance houses have been doing this for a very long time. In these enterprises, supplier attestations / security questionnaires are the norm. These documents, ranging from 1 page to dozens of pages (the longest I’ve completed was 73 pages), ask very structured and relevant questions to a supplier, on which you can base a risk assessment. This is something I set up for all my clients, as the data protection chain is only as strong as its weakest link. If you have a supplier that is not playing ball, you either have to put pressure on them to work on the problem, or you have to start shopping around. An attestation gives you a really clear idea of what your suppliers are doing, and can even act as a catalyst (and checklist) for them to start their own programme.

If you’d like an attestation set up for you, why not reach out to find out a bit more about what Ross G Saunders Consulting can do for you.

Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.

Share This

Share this post with your friends!