Responsible parties are required to establish written contracts with their operators (i.e. service providers, cloud computing vendors, contractors and other third parties). The responsible party must ensure that the operator which processes personal information for the responsible party secures the integrity and confidentiality of personal information in its possession or under its control (i.e. subcontractors) by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.

In deciding on the technical and organisation measures the operator must implement, the responsible party must have due regard to generally accepted information security practices and procedures (e.g. Prudential Standard GOI 5, SARB Directive 2/2019, FSCA's Treating Customers Fairly (TCF), ISO 27701, NIST SP 800-53 Rev. 4) which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

The POPIA platform maintains a register of contracts and the obligations that operators must fulfil, including information security practices and procedures.