Natalie Laurencik
Natalie Laurencik

You could be liable for your supplier’s privacy policy shortcomings

by Natalie Laurencik. Businesses need to understand that they can be held liable for shortcomings in the privacy policies of others, such as suppliers.

by Natalie Laurencik. By now, most organisations have looked at securing their internal environments, educating their staff and tightening up procedures for POPI. In case you missed it, POPI is the Protection of Personal Information Act. It protects your data and also that of your business. Organisations have a duty to protect it and not exploit it, as do you if you hold anyone else’s personal information. Your organisation may have even prepared its own privacy policy to deal with all the precautions required. But often a blind spot can exist in relation to your supplier environments, especially information and communication tech providers.

In the burgeoning digital age, we are all using cloud-based services for own personal use and business use. But do we have any idea how these organisations deal with the personal information that we hand over to them? When is the last (or any) time you read the privacy policy of a website you accessed or service you signed up for? An average privacy policy would take an astute reader about 15 – 20 minutes to read. It has been estimated and reported that it would take an average person upwards of 25 days a year to read all the privacy policies they come across.

We all need to get on with life and we can’t scroll to the bottom of the latest update to the privacy policy quick enough to tick the box. A calculated risk for yourself made in a moment. But, do we give it due care when there are consequences for others? Undoubtedly there is personal information of our customers, our database and our employees that will be affected by our choices in agreeing to a providers’ policy on privacy and data protection. Complex legal jargon and tech talk can be off putting and result in delays. Often there is no scope for negotiation with such a service provider and so it may seem unavoidable. But it is critical. Understanding what you are agreeing to in respect of personal information you hold, especially that which is not your own, is central to delivering your service.

In terms of POPI and other international  data protection legislation that may apply to your organisation, you have obligations – which need to be mirrored in your supplier agreements. Failing this you may be in breach before you have even started. You certainly don’t want to be agreeing to data protection standards inferior to those that your organisation aspires to. If there is indeed no room for negotiating the terms with the service provider, you may be legally required not to accept those terms and select an alternative, more compliant, service provider. Some quick tips to keep in mind:

  1. Check where the data will be hosted – POPI requires local hosting unless certain conditions can be met.
  2. Is the service provider using a reputable cloud service?
  3. Check the service provider’s security standards – ISO compliance is a good indicator.
  4. Ensure response and repair times match your own.
  5. Check service provider’s rights regarding their use of the personal information provided.


Natalie Laurencik is co-founder and director of Consilium Legal, a boutique legal and business advisory. She has been a practicing attorney for 13 years. Her expertise lies in commercial law; with a strong focus on the media, advertising, and public relations sector. She also has a keen interest in privacy and data protection, and is immersed in compliance programmes for clients across several different industries. Laurencik is also completing a PECB certfied GDPR DPO certification. 


– Receive the Retailing Africa newsletter every Monday and Thursday • Subscribe here