What Does POPIA Mean for Marketers?
Part One: An overview of the new Protection of Personal Information Act
You’ve no doubt heard about the POPI Act, or POPIA as it is sometimes called – SA’s version of the EU’s General Data Protection Regulations or GDPR. The aim of the Protection of Personal Information Act is to ensure that everyone’s right to privacy is taken seriously by businesses and other organisations. Its purpose is to protect South African citizens from the unlawful collection, retention, use and dissemination of our personal information. And after a grace period of a year, it becomes legally enforceable on 1 July 2021.
What does this mean for businesses who are simply trying to generate and sustain interest in their products and their brands via various kinds of direct marketing? Especially those working with legacy databases dating back years and years? You know, that Excel spreadsheet that was compiled on a secretary’s PC in the early 80s, backed up on a stiffy, eventually stored on a server, and has now made its way into the company’s cloud-based archives?
And that’s just one aspect of the whole subject, which also includes what you do with this information, and how you use it in marketing. So, how do you as an advertiser get your POPI house in order in the next four months?
In this series of four articles, Machete’s digital strategist Ke Poyurs unpacks the practical implications of the new legislation for the marketer in the street.
What exactly is ‘personal information’? And why does it need to be protected?
Because the internet has totally changed the way we interact and perform daily tasks, – especially in a pandemic – we have all become pretty comfortable with sharing all sorts of personal information online. We send emails, we exchange documents, we pay bills, register interest in various brands and causes, register for webinars, sign up for newsletters, download white papers, and order goods online without a second thought.
All of this involves entrusting a third party with some amount of personal information – which, according to the ‘Conditions for Lawful Processing’, includes everything from someone’s name and contact information, ID number and address, to their age, gender and demographics to their personal backgrounds – even their correspondence history.
The danger of this information falling into the wrong hands is fairly obvious when it comes to financially sensitive data that could be used to access bank accounts, for instance. So there is far more at stake than the risk of being spammed by a call centre or an incoming sales SMS or an email from a company you’ve never heard of. There has been a disturbing increase in various kinds of cyber crime, which can have devastating effects on victims.
The recent Experian data breach highlights the danger. When the breach occurred in September 2020, the private information of an estimated 24 million South Africans and almost 800 000 businesses was exposed online. Such an event emphasises the significance of personal information and the numerous issues and threats involved when it falls into unscrupulous hands.
Other security breaches leaking the personal personal data of millions of South Africans have occurred on LinkedIn, Dropbox and the Deeds Office! (Side note: has YOUR personal data been leaked in any of these breaches? You can check here: https://haveibeenpwned.com)
So what does a marketer have to do to comply?
In a nutshell, POPIA means that companies must get permission from individuals before they collect, store and process personal information for communication or any other purpose. Basically, this means that buying lists of email addresses for marketing is a no-go, and could be punishable by huge fines.
So before you send any unsolicited marketing material to anybody, via email or any other means, you need their explicit consent.
If you have a database of email addresses, you’ll need to make sure that you have explicit permission from those people to communicate with them.
But over and above obtaining permission before direct marketing to someone, the legislation demands that businesses have a clear understanding of how all personal information they collect is handled, processed and stored securely.
How is information collected? Where is it stored? Who has access to it and how is it used? These are all questions that business owners must be able to answer come 1 July 2021.
Protection of sensitive information includes applying diligence to all levels of physical and information security. If you collect personal information on your website for the purposes of marketing your business, you are not at liberty to pass on that information to any other party. You have a responsibility to keep this information securely, where it cannot be accessed by unauthorized persons.
The Act also requires the creation of systems and processes that clearly define where personal information will be stored physically and electronically, appoint a staff member responsible for this data security, and explain how and when it was gathered, who has access to it, and for what reason.
Who’s who in the POPIA zoo?
That sounds fairly simple in principle, doesn’t it? But the whole situation gets rather more complicated when there are more parties than just the ‘person’ and ‘the business’ involved, in other words, in many real-world situations where a company employs a third party to handle some or all of the data collection and storage functions. This could be an IT vendor for instance, or, case in point, an advertising agency.
Just to get some basic definitions straight, POPIA defines three parties who could logically be involved in the process, each of whom could be either natural or juristic persons:
- The Data Subject: This is the person to whom the personal information belongs
- The Responsible Party: This is the person who decides why and how to process information. This could include companies, non-profit organisations, schools, government departments and individuals.
- The Operator: the person or entity who, on behalf of the Responsible Party, collects, stores or processes personal information.
The Personal Information Privacy Act puts various responsibilities on the liable party who is solely responsible for the legal collection of personal data. Responsible Parties should only use Operators who comply with the legal specifications laid down in the Personal Information Security Act.
What kind of measures will you have to take to comply?
There are various steps that responsible parties will have to take in order to become compliant, which we will cover in detail in our future posts. But here is a broad overview of the kind of changes that will need to be implemented by an advertiser:
- You will need to appoint an Information Officer who will personally oversee all data protection issues, as well as make other staff who may have access to the data aware of their responsibilities
- You will need to make sure your Privacy Policy is up to date, in line with the Act and available on your website
- You will need to have a clear understanding with your advertising agency and IT vendor about their roles and responsibilities
- You will need to report any data breaches to the Regulator and data subjects affected
Why should you bother?
Aside from any ethical considerations, there are some pretty hefty legal consequences if you are found guilty of not adhering to the provisions of the Act. For the liable party, there are essentially two kinds of possible punishments allowed for:
- A fine of between R1 million and R10 million or up to ten years’ imprisonment
- An order to compensate data subjects for losses caused by data leaks
We don’t really have any idea yet as to how courts will apply these sanctions in practice, but the serious of the legal sanctions do help concentrate the mind! In addition however, there are other consequences that could be damaging to your business:
- Loss of credibility and your good reputation
- Loss of customers and employees
- Damage to your ability to attract new clients
So … What are the next steps?
Understandably, there is a lot of confusion and uncertainty about exactly how POPIA will affect current marketing practices, and what businesses can and cannot do under the new legislation. It will probably take some precedent-setting legal action to reveal exactly how toughly the legislation will be applied.
However, it would be pretty stupid to take an ostrich approach to the whole matter until this happens. It would also be pretty risky to stop all activity that might render you guilty of an infringement. Good faith intent will without doubt be important factor in judging a case of this matter.
So what advertisers need to do is try to achieve a careful balance between respectful and sustainable marketing strategies that can support business growth, and the consumer’s right to privacy.
To achieve this balance, marketers and business owners must clearly understand the parameters which POPIA has laid out, and adapt their marketing practices accordingly. In the next three issues of Cutting Edge we will go into more detail about:
- How data may be collected
- How it should be stored
- How it may be used
Please note: None of the above should be construed as legal advice. We are simply attempting to unpack the practical implications of the new legislation as we understand it. Your attorney will be able to give you legal advice if you feel you need to go into more detail.
James Kirk
How are you supposed to get someone’s permission to send them something if you can’t legally send them something to ask them?
Ke Poyurs
Hey James. Good question! Usually, you would acquire this permission when you originally gather the email – so you wouldn’t need to email them first.
If someone signs up on your website, for instance, you’ll usually have a tickbox that says something to the effect of, “I consent to receiving marketing emails.” Alternatively, if they’re signing up for a newsletter, the permission is implicit.
Hope this answers your question!