By Ryan Boyes – Compliance is an increasingly important subject in South Africa as the Protection of Personal Information Act (POPIA) gains traction.
However, while many businesses are working to ensure that they align with relevant laws, it is just as important to ensure that third-party vendors and suppliers too are compliant.
The reality is that businesses may be held jointly liable if their third parties are not compliant, aside from taking on the unnecessary risks of data breaches, cybersecurity issues, reputational damage, and business disruption, among others. Conducting thorough due diligence, including a comprehensive risk assessment, is essential to mitigate risk and ensure compliance throughout the supply chain.
Know the risks
When it comes to information security, most businesses are now aware of the risks of non-compliance with POPIA. These include administrative fines of up to R10 million, criminal penalties including further fines and potentially jail time, compensation claims from affected parties, and reputational damage, which could have significant and long-lasting consequences.
In addition, data protection laws of other countries, such as the General Data Protection Regulation (GDPR) in the European Union (EU), can affect South African businesses under certain circumstances – for example if a South African organisation conducts business within Europe or interacts with the personal information of an EU resident.
This applies not only to a business itself, but also to its third-party vendors and suppliers. If a third party is not compliant with data privacy regulations, and the data of a business is compromised as a result, the business may be held jointly liable along with their supplier when it comes to facing the penalties.
For example, security companies often require some form of identification when allowing people access to a gated community or office park. If they then experience a data breach, the owner of the office park or the community is also responsible to a certain degree. It is therefore imperative to conduct thorough due diligence of all third-party suppliers to ensure compliance throughout the supply chain.
An outside perspective
When it comes to ensuring third parties are compliant, there is no pre-determined blueprint, nor is there a ‘one size fits all’ approach that can easily be applied.
Every organisation and its supplier network is unique, so the requirements for compliance will differ depending on the industry, the laws that apply around data retention, the vendors, the countries of operation and various other factors. It is also important to develop an incident response process, test scenarios, and prioritise risks.
This process can become extremely complex as it is not a core competency of most organisations, so having an external partner with the relevant skills and experience can be beneficial. They can also provide an outside perspective to prevent the common phenomenon of not being able to see the wood for the trees, so to speak.
Consultants bring experience from a variety of different industries, and a reputable and experienced partner will have a pool of skills to draw on to and assist in identifying the issues. They will be able to perform a comprehensive risk assessment and provide recommendations on how to resolve the issues identified.
Finding the balance
To mitigate these risks, it is important to conduct thorough due diligence when selecting third-party vendors, assess their compliance with relevant laws and regulations, establish clear contractual obligations, and regularly monitor and audit their compliance practices.
However, while there are frameworks and best practices to help guide the process, organisations must find the right balance to cover both compliance and technology requirements.
Creating a compliance department internally is not feasible for most businesses, and ignorance is not considered an excuse when it comes to data privacy breaches. It is imperative to assess the landscape, identify the gaps and then understand the steps that need to be taken.
Partnering with the right provider is invaluable in helping businesses to get on top of compliance throughout their supply chain and adapt to a dynamic and constantly changing landscape to minimise risk.
Ryan Boyes is the governance, risk and compliance officer at Galix