Building a POPIA-Compliant Database
What Constitutes ‘Consent’?
Last month, we started the conversation about the Protection of Personal Information Act (POPIA), and what it’s going to mean for marketers. After all, businesses now have less than 3 months to make sure that they are compliant with the new regulations.
One of the questions asked on last month’s blog, and definitely a good one, was:
How are you supposed to get someone’s permission to send them something if you can’t legally send them something to ask them?
While POPIA is not necessarily a consent-driven law, there are a few instances where you do need the data subject’s explicit permission. Unfortunately for marketers, one of the instances for which explicit permission is necessary is direct marketing by electronic communication.
In other words, if you want to market to someone via email, you need to make sure that you have their explicit permission to do so.
Regulation 6 of the act says “A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject…”
What does that mean?
You’ll need to:
- identify the data subject
- identify the responsible party and provide their contact details
- identify the person designated to sign for the responsible party
- enable the data subject to consent to receive direct marketing for specified goods or services by specified methods of electronic communication, and
- get both the person designated by the responsible party and the data subject to sign.
As a refresher, here’s a refresher on some important POPIA terms:
- The Data Subject: This is the person to whom the personal information belongs
- The Responsible Party: This is the person who decides why and how to process information. This could include companies, non-profit organisations, schools, government departments and individuals.
- The Operator: the person or entity who, on behalf of the Responsible Party, collects, stores or processes personal information.
- Submit: Submit by data message, electronic communication, registered post, email, facsimile, and personal delivery.
- Written: Any form of writing, including in the form of a data message that is accessible in a manner usable for subsequent reference.
Unpacking the Regulations
Reading this regulation might seem a bit concerning – especially the part which states that you must receive written consent, signed by both a person designated by the responsible party and the data subject.
By looking at the definitions, we can see that “written”, in this case, applies to any form of data message – and a data message means any data which is sent, received, generated or stored by electronic means. This can include any stored record, or even voice. “Signed” means “data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature“.
In practical terms, this means that, to market to a prospective customer, you need some sort of data message which confirms the consent. This could be as simple as submitting a form on your website.
Key Points Regarding Consent and POPI
- Consent must be voluntary. You cannot force or trick people to consent to receive direct marketing.
- The consent must relate to a specific purpose. If they agree to receive direct marketing from a specific company, that consent does not apply to other companies within the same field, etc.
- Your purpose must be specified when requesting consent.
- The data subject must be sufficiently informed to give consent.
- There must be some sort of expression of will – such as filling in a form, or ticking a box.
So make sure you have a record of consent for each of the members of your database. If they’ve filled in a form, that counts as consent. But if you’re working on old Excel sheets, and you don’t remember where some of the email addresses came from, you’re better off not including them in your direct marketing.
Next month we’ll be discussing database best practices, including the new regulations for how data needs to be stored and protected. Managing your database and data subject records correctly is imperative under POPIA.
Please note: None of the above should be construed as legal advice. We are simply attempting to unpack the practical implications of the new legislation as we understand it. Your attorney will be able to give you legal advice if you feel you need to go into more detail.
If you’re unsure about the compliance of your data gathering practices, contact us today for a free POPI audit.