Derick and the delicate dance of data protection

Data Protection
24 Oct 2023

As if the challenges with the system response service levels weren’t enough, Derick’s next mission was set: crafting a Data Protection Schedule intricately tailored to the Cloud Services Agreement. If that wasn’t tricky enough, it had to align perfectly with the intricacies of South African Law, especially the looming giant, the Protection of Personal Information Act (POPIA).

The type of data being processed

Derick started by diving deep into the murky waters of POPIA, attempting to decipher the true meaning of “Personal Information”. This wasn’t just any data; it had to be specific to the ambit of the POPIA. It related to living, identifiable humans and, at times, even existing juristic persons like businesses.

Derick quickly jotted down a list of data types the service provider would be working with.

He deliberated over the details: would this data be general personal information, or would it tread into the treacherous terrains of special personal info, like one’s race or health details?

Derick felt like a cartographer, mapping out the vast terrains of data. Who does this data speak of? What tales does it tell? Why is it being shared, and for how long?

His map included:

  • Realms of data subjects: These could be the mystical lands of customers, employees, or others linked to the company sharing the data.
  • Scrolls of personal data: Names, tales of identification, financial stories, and other legends.
  • Nature of the tale: Was it a tale of storage, retrieval, or perhaps deletion?
  • The duration of the epic: How long would the Service Provider sing these tales before they fade away or are returned to their origins?

With this, Derick’s foray into data protection felt more manageable. Each element was like a puzzle piece, fitting together to shield Vector AI from the dragons of non-compliance and mistrust. The Data Protection Schedule was shaping up to be a masterpiece, a testament to Derick’s relentless drive and commitment.

Usage of the data by the service provider

The Service Provider’s intentions and rights relating to the data were paramount. Derick pondered, “Would they just use the data to fulfil their obligations under the agreement, or might they want to use the data in some de-identified way?”

His contemplations:

The data must only be used for the specific purpose of fulfilling their obligations under the Agreement. Nothing more, nothing less.

If de-identification was on the table, they better ensure it’s truly anonymous. “No sneaky marketing!” Derick exclaimed, imagining the potential chaos.

Authorised persons

In the world of data, not everyone should wield the power to handle it. Derick knew he had to identify the ‘Chosen Ones’ or, as the legalese called them, the Authorised Persons.

He began by listing potential roles – who in the service provider’s realm would touch this sacred data?

They needed guidance, a training of sorts, on their noble responsibilities under POPIA and the agreement.

Sworn to secrecy, these individuals would be bound by the ancient scrolls of confidentiality.

Organisational and security measures

When Derick started reading up on organisational and security measures which needed to be in place, he felt in over his head. Luckily, Derick remembered Jaco, Vector’s IT guru, who helped him with the System Response Service Levels, will be able to provide guidance!

Jaco explained:

Organisational measures primarily revolve around the internal structures, protocols, and practices a company establishes to ensure data protection. They are concerned with how human resources and management procedures are aligned to protect sensitive information.

The aforementioned involves everything from setting up defined roles and responsibilities regarding data handling to ensuring an ingrained culture of data protection awareness. Regular training and updating of policies reflect a proactive approach. It’s all about creating an environment where everyone understands the value of data and their role in protecting it.

When it comes to security measures, on the other hand, it means the actual tools, systems, and technologies put in place to physically or digitally safeguard data.

These are not limited to but often revolve around systems that prevent unauthorised access, detect potential breaches, and react to any threats.

It’s about building a digital fortress around sensitive data and continuously updating that fortress in response to new and evolving threats. While the specifics can vary, the core idea is to provide robust, multi-layered protection that defends data from both external and internal threats.


As Derick pieced together the Data Protection Schedule, he stumbled upon a new terrain: Sub-Processors. These weren’t the main warriors in the battle for data protection but played a crucial supporting role.

The Service Provider would have to provide Vector AI with a directory of these Sub-Processors. Just who were they entrusting with the precious Protected Data?

Also, if ever the Service Provider felt the need to change or introduce a new Sub-Processor, they couldn’t just sneak one in! They’d need to send word to Vector AI ahead of time.

Vector AI, in return, reserves the right to object. If they believed this new Sub-Processor wasn’t up to the task or could compromise the integrity of the data, they could raise their flag of concern.

Access rights

Now, while the Service Provider held the data, Vector AI needed assurance they could access their treasure when needed.

Derick decided Vector AI should have transparent and unhindered rights to access the Protected Data. But, this couldn’t be a wild free-for-all. There had to be structured processes, notifications, and potential time frames.

It would also be wise to ensure the access was logged. Who accessed it, when, and why?

Protected data requests

Derick recalled some tales from law school about “Right to Know” and “Right to Deletion” petitions from data subjects. Vector AI had to be prepared!

Should a data subject knock on Vector AI’s doors with a “Right to Know” request, Vector AI would need a clear process to provide that information. How would they fetch it? How would they confirm the data subject’s identity? How long would they take?

A “Right to Deletion” was more tricky. Wiping away a data subject’s existence from the records needed precision. No remnants, no backups, a clean sweep!

The Service Provider would need to play their part here, too. Should Vector AI receive such a request, the Service Provider should be primed to respond swiftly, ensuring the data is wiped from their realm and the realms of any Sub-Processors.

As Derick framed these considerations, he felt the weight of responsibility but also the satisfaction of ensuring Vector AI’s compliance and protection. With every clause, he was fortifying Vector AI’s position in this digital age of data.

Audit rights and compliance reports

With the layers of the Data Protection Schedule beginning to stack up, Derick realised the importance of not just setting these rules but also ensuring they’re followed. This realisation ushered in the idea of audits and compliance reports.

Derick felt strongly that Vector AI should have the privilege to knock on the Service Provider’s door and check if they were really upholding their end of the deal. Auditing the Service Provider’s compliance with the Data Protection Schedule would provide this assurance.

To further this trust, Derick contemplated having the Service Provider maintain annually updated compliance reports. Certificates like ISO or SOC II would give a stamp of approval, signifying their commitment to data protection.

Such certifications, while not always legally mandated, sure had a way of offering peace of mind. It was like having a watchtower always ensuring the safety of the Protected Data.

Data incidents

While Derick hoped Vector AI would never face a data incident, he knew he had to be prepared. He dove into defining and dealing with it.

There needs to be clarity on what constitutes a Data Incident. Derick settled on the meaning that a data incident could be any unauthorised access, disclosure, alteration, or destruction of the Protected Data. Like a chink in the armour, even a tiny breach could have vast repercussions.

Derick realised that time was of the essence when it came to Data Incidents. Derick believed the Service Provider should promptly notify Vector AI, and he settled on a strict timeframe – within 48 hours of becoming aware of the incident. The clock would be ticking.

Cross-border conundrums

The thought of Protected Data travelling across borders gave Derick a slight shiver. Different legal jurisdictions had different laws and regulations!

Transfer Mechanisms: Derick remembered that international transfers were tricky. They could utilise mechanisms like the Standard Contractual Clauses (SCCs) or even rely on specific adequacy decisions. The goal was to ensure the data would be treated with the same reverence, no matter where it rested.

Prior to any cross-border move, Vector AI would need to be notified, and the details of the transfer mechanism agreed upon.

As Derick annotated these points, he realised that the journey of mastering the nuances of the Data Protection Schedule was an intricate dance. But with every step, he felt Vector AI was getting closer to ensuring a fortress of compliance and safety.


Wrapping up his deep dive into the maze of data protection, Derick realised just how intricate and essential a solid Data Processing Schedule truly is. The balance of safeguarding data while ensuring smooth business operations is no small feat. With regulations, nuances, and potential pitfalls at every corner, creating an effective schedule is not for the faint of heart.

Luckily, Derick has discovered With its guided and intuitive approach, Derick can now craft a Data Processing Schedule tailored to Vector AI’s unique needs without breaking a sweat.

For all the Dericks out there, navigating the legal labyrinths of data protection just got a whole lot easier. Dive in, and let be your trusted guide. Dive in, embrace the future, and safeguard your data with confidence!

See also:

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)

Technology Law articles on GoLegal