POPIA Part 3 — Data Retention and Storage Best Practices
In our last POPIA article, we looked at how personal information can be legally gathered. Now let’s turn to the question of how that data should be managed and stored in terms of the Act’s regulations.
The issue of data quality is addressed in POPI Section 16 of Principle 5: “A responsible party must take reasonable, practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.”
Principle 7 is called “Security Safeguards” and expands on the topic in Section 19: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures…”
What the Regulations Say
Retention of Records
To store personal information records in accordance with POPIA, the following principles should be applied:
- Only those records that are applicable to the goal should be retained
- And only for the period that they are needed
- They must be updated on a regular basis
- They may only be used for the purpose they were collected for
Disposal of Records
A disposal plan must be put in place and then strictly enforced. Keeping records and not destroying them when their function is completed is extremely risky under POPIA.
Ensuring that duplicates are destroyed is an important part of disposal. A system for detecting and eliminating duplicates should be implemented. Duplicates may be on paper or on the computer.
Database Best Practices
Enforcing strict access controls is the first step in ensuring data protection. Enforce rules requiring workers to use complicated passwords and include employee training on how to secure their security credentials effectively. Use multi-factor authentication to ensure that only approved users and devices have access to stored information.
Make sure that all personal data on devices and systems is protected with encryption. Because POPIA spares businesses from notifying data subjects and regulators if breached data is unreadable and the subject can’t be identified, encryption not only protects the data subject but also protects your business from a lot of trouble if an employee-used device is lost or stolen.
Use a Good CRM System
Most Customer Relationship Management systems, such as SharpSpring, the CRM we recommend to all of our clients, handles much of the data retention best practices for you.
SharpSpring’s policy on the classification and safe handling of data is a defined Information Classification Policy that identifies all customer data as confidential.
All sensitive data shared between the application, extranet, tracking endpoints, and servers is transferred using Transport Security Layer (TLS) protocols with up-to-date ciphers utilising (a minimum of) 256-bit RSA encryption keys. Credentials are stored in an encrypted on-disk format to prevent the data from being compromised if a data theft or data breach incident occurs.
Other Best Practices: Sunsetting
Another database best practice is to segment your database based on the engagement of your subscribers, and to remove those who cannot be re-engaged from your database.
Email sunsetting is the method of finding inactive subscribers who have not opened or clicked on your emails in a long time and devising a plan to either re-engage or exclude them from your list.
Your email campaigns will benefit from a well-planned sunsetting strategy in the following ways:
- Your active email list will consist of people who are interested in receiving your newsletters
- This will enhance the delivery of your emails
- It will also boost your campaign’s open rates, click rates, and overall engagement
To begin, define inactivity in your business. Determine how long a user must be inactive before being considered inactive. After you’ve made your decision, go through your email analytics data and gather data from inactive users. Though inactivity varies by company, for starters, users who have not opened a single email from you in the last six months are considered inactive. These users are considered “graymail”.
According to SharpSpring:
“Essentially, sending to unengaged recipients puts your sender domain at risk and increases your chances of hitting a spam trap, or having your sender domain classified as spam. Aside from this spam classification, sending email to contacts who are no longer interested in reading what you have to say can result in sent mail being kept out of the inbox.
“Graymail directly impacts your sender reputation with Internet service providers (ISPs). As leads are sent more emails that they do not engage with, mails may be filtered as spam. ISPs have categorisation algorithms that determine whether or not your emails are delivered to the inbox. While certain mailbox tabs are no longer the threat they used to be, any mail that does not end up in the inbox is at risk of being ignored outright.”
A good CRM system like SharpSpring also has built-in engagement tracking, taking the fuss out of identifying low-engagement contacts.
Next month, we’ll be wrapping up our POPIA series, with a summary of final thoughts and how personal data can legitimately be used in direct marketing campaigns.
Please note: None of the above should be construed as legal advice. We are simply attempting to unpack the practical implications of the new legislation as we understand it. Your attorney will be able to give you legal advice if you feel you need to go into more detail.