Don’t Develop Small POPI Syndrome
It’s all about who and what you know.
POPI, otherwise known as the Protection of Personal Information Act, has been looming over business ever since it was first signed into law in 2013. Although not yet fully implemented, many large businesses have been gearing up to ensure they are compliant with this far-reaching piece of legislation. Unfortunately, many small businesses have been less pro-active, mistakenly believing that POPI only applies to large companies. Think again!
“Being small does not exonerate your sole-proprietorship, closed corporation, partnership, or company from POPI,” says Francis Cronje, an advisor to Parliament's Technical Working Committee on POPI. “POPI applies to everyone and although your employee count or existing customer database might seem small or irrelevant, you are still responsible for the personal information you process.”
POPI’s role is to ensure that businesses act responsibly when collecting, processing, storing and sharing personal information by holding them responsible should they abuse or compromise personal data in any way. Personal information is regarded as data or indicators by which a person can be uniquely identified (your name, race, gender, age, identity number etc.). The provisions of POPI also apply to legal entities such as companies.
The rights conferred on individuals as owners of their personal information, means that:
Ø A person must give their consent about when and how their information can be shared.
Ø Information must be collected for valid reasons and the consumer can decide the type of information that can be shared.
Ø There must be transparency and accountability on how data will be used.
Ø The person concerned must be able to access their own information and can also insist that personal data be removed or destroyed.
Ø There must be adequate measures and controls in place to track access to private information and prevent unauthorised people, even within the same company, from accessing it.
Ø People are entitled to have their information safeguarded to protect it from theft, or being compromised.
Ø The integrity and continued accuracy of personal information must be maintained.
Businesses engaged in direct marketing must be particularly careful of falling foul of POPI. For example, any information provided by a customer for a specific purpose cannot be used by the business for something else. If someone provides information on a website to address a problem, POPI dictates that the information can only be used to assist with that request. An e-mail address gleaned from a customer query cannot be added to the sales department’s mailing list or sold to another company.
POPI does not apply to direct marketing using non-electronic means. These methods include digital flyers, registered post and telephone calls. However, if digital flyers are sent directly to a person, they must be able to `unsubscribe’ if they no longer wish to receive them. Their details must then be removed from the distribution list and a record of this action must be kept. This also applies to telephone calls and communication via post or in person.
If you use SMSs or e-mails to attract new customers, the provisions of POPI will also apply. People must consent to all forms of electronic communication. If material is already being sent to existing customers, they must be able to `opt out’ of receiving marketing material. Thereafter, their names must be removed from the database.
Perhaps the most onerous requirement of POPI, and the most expensive for a smaller business, is the disposal of personal information. Information cannot simply be tossed into a wastebasket. It must be destroyed in an approved manner and the destruction certified.
Although POPI has not yet been finalised, many believe that any outstanding pieces of legislation will likely to be finalised in 2018. This leaves small business owners with a narrow window of opportunity to get compliant.