Over the last few weeks, if you have been a living, breathing soul with an active email account in South Africa, you will have received an influx of POPI -subjected emails. Companies all over South Africa scrambled to send out a flurry of consent emails to their databases. And, whilst some tried quirky messaging, and others simply seemed to miss the point of the exercise; many customers are still somewhat in the dark as to why they were receiving it in the first place.
In fact, many companies are still a bit shaky on why exactly they needed to send these out and the total impact that the POPI Act has on their business. If you are one of those whose response extends to “It’s to protect your personal information” and not much more, don’t feel alone. We are here to help.
The POPI Act actually extends beyond just what its name suggests, and will actually have several implications on your business. So, we thought we would unpack the nitty-gritties of what you need to know, and give you a bit more insight into what you need to adjust in your business.
What, Why and How is POPI a Thing?
So, if you are still not sure, POPI stands for the Protection of Personal Information. This has been a bill that has been in draft since Obama was still in office, and has been passed back and forth, until it was officially signed in 2013.
It officially came into effect on 1 July 2020. But companies have only really started scrambling to become compliant in the last month or so, as companies had a grace period of 12 months to become compliant. Naturally, being South Africans, we all left it to the last minute and then rushed to ensure that we were all on the same bandwagon. Even if some of us had no idea why we were on the bandwagon to begin with.
POPI is the regulation of the collection, use, storage, management, sharing and disposal of customer’s personal information. As the world has become more and more digital, more personal information has been collected and stored by companies than ever before. Customer’s unknowingly, and unwittingly have been sharing vital company information with companies globally, who have been sharing this information or mismanaging it internally.
Globally, similar legislation has been put into place to regulate the abuse of personal information. The information age has not been very kind on customers over the last few years, as customers started being contacted by more and more companies that they had no association with. We all know those spam calls and text messages all too well, hence why regulators had to step in.
What Types of Information Are We Talking About?
Now, you may be asking, what type of information are we talking about? Well, POPI regulates the following personal information:
- Identity and/or passport number;
- Date of birth and age;
- Phone number/s (including mobile phone number);
- Email address/es;
- Online/Instant messaging identifiers;
- Physical address;
- Gender, Race and Ethnic origin;
- Photos, voice recordings, video footage (also CCTV), biometric data;
- Marital/Relationship status and Family relations;
- Criminal record;
- Private correspondence;
- Religious or philosophical beliefs including personal and political opinions;
- Employment history and salary information;
- Financial information;
- Education information;
- Physical and mental health information including medical history, blood type, details on your sex life;
- Membership to organisations/unions.
Although some of these may be shared on their own, the combination of some, like name and ID number, for example, could be considered illegal.
Companies need to be putting measures in place to allow its customers and clients control over their personal data. This means that they need to have a say in the following:
- When and how they share information with you. This means that they need to consent to any kind of communication and interaction;
- The type and extent of information that they choose to share with you. So, you will need to have a valid reason for actually collecting their data;
- Transparency and accountability on how their data will be used (limited to the purpose) and notifications if/when the data is compromised;
- You will need to provide your clients and customers with access to their own information and give them the right to have their data removed or deleted;
- Your customer has the right to know who has access to their information. So, you need to have something in place to track the access and control of information to prevent unauthorised people from accessing their data. Even if it is employees within the business;
- Customers will need to know how and where their information is stored. This usually means that you need to put in measures to protect their information from theft and or fraud;
- Lastly, you will need to capture all information correctly and accurately.
What Steps Should You Be Taking?
By now, we are sure that every single company in South Africa has already sent out their token POPI email. We even got one from our local spaza shop.
If you haven’t yet though, contact us right now and let us put one together for you.
This email aside, it is really important for you to get consent before simply engaging with potential customers. So, start focusing on the following avenues in your business:
Cut Down the En-Masse Newsletters and Mailers
These certainly make up a large chunk of the marketing efforts of a company and drive a lot of traffic to the site. From now on, you simply cannot add names onto your database, or buy leads to email content to. You will need their consent first.
You can use these afore-mentioned emails to get consent from your customer to actually keep them on the database and send them regular (informative!) content. Do not also try and get savvy and get people to sign up for competitions, or go digging through social media. You will need permission for all of these too!
Not Everyone Will Get a Cookie
Cookies have historically been used to identify a user’s computer when they come onto any website.
Cookies are the reason why you will see those pair of New Balance shoes that you were looking at on Superbalist popping up when you are reading up on Zuma finally being behind bars on News24.
Cookies are small text files that can capture a lot of data and information about customers, and are now highly regulated. You will need to ask your site visitors to accept the cookies from your site, as well as explain to them what cookies are and what you use them for. Again, we are here to help you with these policies and pop-ups.
Keep in mind, these cookies do help with the functionality and user experience on your site. So, instead of filling out forms again and again each time your customer uses your site, cookies can help streamline the process and get them to check-out quicker.
Gatekeeping Websites Is a Thing of the Past
Historically, business owners had a sneaky way of collecting valuable information to add to the growing database. In order to actually enter the website and use anything on the site, visitors were asked to sign up, or sign in.
Now, this has to be done away with. Yes, if you do want to make a purchase through your profile, your customer will need to sign in, but websites now need a darn good reason to ask visitors for any details when visiting.
Get Your IT Department Levelled Up
The IT department is where all of your vital information and data is kept. On networks and in large storage right? The next thing is to do a good overhaul and make sure that the whole thing is secure and impenetrable.
Firstly, you will need to identify and appoint an Information Officer. This can be your CEO, but they might need deputies, especially in the IT department to help them roll everything out.
Next, you will need to do an assessment of the current state of your data capturing, storage, usage, sharing and disposal. Who has access to your customer’s information? Where is it stored? Is it secure and protected?
You will need to go through an exercise to formally secure all of your databases and only provide access to relevant staff members. It will also be worth your while creating manuals for your staff to ensure that they are following the right practices within the company.
All avenues of your data capturing and storing will need to be reviewed and streamlined to ensure that your customer’s information is carefully protected and stored in your company.
This may seem incredibly overwhelming. But it is worth mentioning that this is an exercise that will most likely take a few months to roll out and get right. The main objective is to make this the new norm for companies throughout South Africa. Non-compliance to POPIA does come with some harsh penalties. Jail time and exorbitant fines have been threatened, so, it is imperative that you get onto it as soon as possible.
If you are needing assistance to roll out your POPI compliance project, get in contact with us today. We are equipped and ready to help you get your company on the right track and reassure your clients and customers that their information is secure and protected with you!