The new POPI Act in South Africa

Getting to Grips with the POPI Act in South Africa

In Digital Marketing by Kaomi Team

While we’d much rather be talking about exciting innovations in the marketing space, we are acutely aware of the checks and balances that need to be adhered to in today’s business arena.

Today we’re talking specifically about the POPI Act that has been rolling out in South Africa. 

It goes without saying that government regulations are never easy to understand or interpret, but in this case, it’s important that we get to grips with the current legislation. Whether we understand it or not, it is bound to affect us in one way or another. 

What is the POPI Act in South Africa?

The Protection of Personal Information (POPI) Act has been set up to ensure that certain minimum requirements are met when processing personal information. It also serves to set reasonable boundaries concerning unsolicited communications. 

The purpose of the Act is to protect people from harm through the misuse of their personal information. This includes theft, fraud, reputational damage, and discrimination.

Michalsons sums it up for us as follows: 

“The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent of the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons).”

What Counts as Personal Information?

Simply put, anything that can be used to identify a person is classified as personal information. These include: 

  • Race, gender, sex, pregnancy status, marital status
  • National / ethnic / social origin, colour, sexual orientation
  • Age, physical or mental health, disabilities, well-being
  • Religion / beliefs / culture, language
  • Educational / medical / financial / criminal or employment history
  • ID number, email address, physical address, telephone number
  • Location, biometric information
  • Personal views or preferences, correspondence, opinions

Is the POPI Act in Effect in South Africa?

It’s been a long road since 2013 when the POPI Act was first enacted, but we are close to seeing the final implementation of the act in its entirety.

In 2014 certain sections of the POPI Act were set in motion, but most of the Act only commenced on 01 July 2020. The 12-month grace period offered to ensure compliance, therefore, expires on 01 July 2021.

The remaining sections, namely Section 110 and 114(4), will only commence on 30 June 2021. These deal with the transfer of the enforcement of the Promotion of Access to Information Act (PAIA) to the Information Regulator.

Who Does POPI Apply To?

We may feel that because we are not in a sensitive industry such as healthcare, finance, or education, we don’t have to concern ourselves with POPI requirements. 

If you live in South Africa and are responsible for others’ personal information or live outside of SA and use either automated or non-automated data processing systems in the country, you must be compliant.

The Act applies to what is known as responsible parties or data processors, which need to be appointed within a business. Essentially, the person who decides the how and why when processing personal information is responsible for complying.

What Are the Eight Conditions for Lawful Processing of Data?

As mentioned previously, there are eight general conditions and three extra, or less descript, conditions that need to be met. 

The conditions (rules!) define what data you can collect, what you are allowed to do with it, and how you should protect both the information and the subject or person.

These are outlined below.

  1. Accountability

Both commercial entities and smaller businesses need to determine which individual will be responsible for compliance with the Act. They will ensure that the correct systems and procedures are in place and are being adhered to.

  1. Processing limitation

Personal data should only be used fairly and legally, and only with the consent of the subject. In addition, the information used needs to have come from the data subject directly, and if it comes from a third party, the subject needs to be aware that you have access to their data.

  1. Purpose specification

The data that you hold may be used for specific and legitimate reasons only. The data subject has the right to know for what purpose you have their information, how long you require it, and when and how it will be destroyed. 

  1. Further processing limitation

If you intend to use personal information for a secondary reason besides the data’s existing purpose, the data subject will need to be informed and give consent. 

  1. Information quality

As far as possible, all data should be accurate and verified by the data subject. Ideally, personal information should be inputted by the person themselves. However, if your business is capturing information or changing it from one format to another, the data subject should be asked to verify, update, or withdraw consent to use this data.

  1. Openness

Transparency in the collection and use of personal data is essential. All data subjects must be aware that you are collecting their information, exactly what you have, and how it will be used. They need to understand the process for complaints if necessary, who to speak to, and their rights. 

  1. Security safeguards

One of the most important conditions lies in implementing effective security safeguards. Responsible parties need to ensure that the data in their care is safe from loss, unlawful access, modification, unauthorised destruction, or disclosure. 

Stringent processes must be in place to maintain protocols that prevent data breaches, unnecessary access, or interference. Should a security breach arise, there should be procedures to source and rectify the problem and prevent it from recurring. 

  1. Data subject participation

All data subjects have the right to know what information is held, where it is held, what purpose, and whether it is accurate. Responsible Parties must be able to adhere to a person’s requests and offer methods to update details or withdraw consent. 

It’s a lot to take in, no doubt about that.

Who Will Enforce the POPI Act?

An independent juristic body was appointed in 2016 to oversee the POPI Act. This Information Regulator has been tasked with educating the public about their responsibilities and enforcing and monitoring compliance. They will also handle complaints from all parties where necessary.

It is hoped that businesses will already have set in motion the processes needed for POPI compliance. They are expected to take on the mantle of responsibility to secure their customer’s valuable information, not only because it’s the law but because it’s the right thing to do. 

How Will POPI Affect My Marketing?

Both with GDPR and POPI – neither of which are straight-forward – there has been much confusion as to who businesses can market to and under what conditions. Added to this, a growing number of consumers object to having their information collected because they feel like they’re being spied on. The cyber-world is a dark and dangerous place in their mind.

While cybercrime exists and immoral people prey on the innocent, this sentiment is not going away. Therefore, it’s important for businesses and their marketing agencies to understand their boundaries according to POPI and to adapt their strategies accordingly.

Lead Generation

The days of buying and selling random email addresses and phone lists are well and truly over. This practice has resulted in a lot of damage to the direct marketing industry and is under careful scrutiny today.

Companies must be a little more creative to gain new customers’ interest and start conversations as opposed to merely popping their name on a list and spamming them. We feel that innovation is the key here; finding a way to stop a potential customer in mid-scroll and encouraging them to give you their details is an art form.

Can you still buy third-party leads? Yes, on condition that the data subjects on these lists have given consent to distribute their information. Besides, the company selling the leads must have proof of this consent. 

If the person or company selling the leads has not been given permission or the correct consent from the data subject, buying these lists will come at a high price for you and your business. Remember, you are responsible for the information you hold.

How Do I Get Consent?

The POPI Act insists that consent needs to be “informed and specific.”

This means that it must be immediately evident and unambiguous and not buried in a thousand words of Terms and Conditions. The subject will have to physically check a box or show in another way that they voluntarily opt-in to receiving communication from you.

Do I Need a Double Opt-In?

Does that mean you need to go back to our database and ask your leads to opt-in again? If you do, there’s a good chance that they won’t reply or may even opt out, which may well slice your database in half. 

Whether we need to do this or not depends on how we obtained these leads. For example, if they come from sales that we’ve made and have a relationship with them, they know who we are and our products, then we should be alright.

However, if we bought a list a while ago and aren’t totally sure if the sellers got the right permissions, then you would probably want to get consent to be totally in the clear. 

If you’re still unsure where you stand with a lead, then a wise choice would be to ask yourself how this person would likely respond to a message from you. Would they be annoyed and click on the ‘spam’ button? Are they likely to opt-in?

If you’re using an old database, or perhaps one that isn’t profitable, is it worth the risk? Fines for non-compliance are steep and, in many cases, can cripple a smaller business. Choose wisely.

The Essence of POPI

Yes, there is a lot of work to do, and non-compliance can be swiftly penalised. However, the essence of the POPI Act is not about conforming to legal requirements under the threat of heavy fines. Instead, it’s about taking responsibility and showing respect for the personal information of others. Imagine that those acres of names, numbers, and email addresses belong to someone’s mother, father, or daughter and that the safety of their valuable information is in your hands.

Perhaps use this opportunity to create open, transparent communication channels with your customers and leads? Let them know what your processes are and how they can communicate any issues with you.

Perhaps use an opt-in as an opportunity to requalify leads and educate them on who you are and what you stand for. (In a non-salesy way, obviously.) Consider some incentives to keep them subscribed, and make sure that your sign-up and unsubscribe processes are seamless and painless.

In Summary

The POPI Act has been set up to protect people from harassment and the misuse of their personal information. With cybercriminals getting smarter and more resourceful all the time, the responsibility to be careful with the personal information in our care needs to be shared. 

Are you concerned about how the Act will affect the marketing processes in your business? If you have questions, please feel free to contact one of our team members, and we’ll be happy to assist you.