Validating Operator Assertions of Compliance

operator complianceResponsible parties must secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures. In order to do this,  the responsible party must:

  • take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control by establishing and maintaining appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented, and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguard.

Validating operator assertions of compliance with POPIA is an obligation that responsible parties are required to fulfil. Responsible parties should foresee that operators might not fulfil their POPIA and contractual obligations. Data subjects can hold responsible parties responsible for non-compliance of operators. They may demand financial compensation from responsible parties should operators interfere with the rights of data subjects. 

One of the appropriate, reasonable organisational measures that responsible parties can use to ensure operator compliance is auditing the measures taken by their operators. Independent auditors, with reasonable technical and organisational certification criteria, can give confidence to all parties that the certification target (e.g. process, service, or product) fulfils the data protection requirements of POPIA.

The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment by a third-party.    

CONTACT US for more information and assistance with validating operator assertions of compliance using independent, impartial certification criteria.