A Marketer's Guide To POPI.
Created the 12 March 2014 by Nicholas Marini
We know a lot of people are worried about POPI - Protection of Personal Information Act - which has come into law, so we wrote this nifty little guide that tells you the essentials of what you need to know. You are welcome to contact us for a free POPI consultation. We get all our information from the Direct Marketing Association of SA who played an integral role in consulting with government about the Act and implimentation thereof. This post will hopefully break it down into bits and pieses for you and speaks to the main purposes of the Act and how it affects marketing operations and storage of data. POPI is the largest Act in South Africa's history so if you feel unsure of anything or need clarity just give us a call as there is so much grey area in the Act that the regulatory bodies will have to take care of. We hope you find it handy and please share it so that we get to know the law and be more effective as an industry, together.
Extent of Act
Protection of Personal Information Act (P.O.P.I.) covers the collection, processing and use of personal data for any reason, except a personal address book, by any judicial or natural persons. The Act is principles based and therefore allows for exceptions and exemptions as well as exceptions to the exemptions. P.O.P.I. is read in conjunction with the following Acts:
- Promotion of Access to Information (PAIA) Act 2000
- Electronic Communications Act 2005
- Consumer Protection Act 2011
Should there be conflicting law between these Acts the most restrictive law must be applied. P.O.P.I. will govern how we interact with any private and personal data, not only of our current or prospective clients but also in regards to HR. Data safety and consent is paramount in the Act with the legislation allowing for hefty fines should the law be disobeyed.
Who is affected
- All companies and any of their divisions holding personal information – natural or juristic.
- The 3 tiers of government: municipalities, provincial and national
- All parastatals
- Service providers
- Individuals, consultants and sole traders who hold personal information. Exception: Data held for personal use.
There are only three ways to collect data:
- From the consumer directly
- From a third party
- From a public record
Information is required to be given before collection, except “if not reasonably practicable”. Furthermore the data may not include information which is irrelevant. If data is not collected directly, the individual must be made aware of the source used.
Notification for Collecting Data
The information that needs to be given to the consumer prior to the collection should include:
- What information is being collected
- The source of the data, if necessary
- Name and address of the user/marketer (Juristic person is sufficient)
- Any category of recipient with nature of data and right to access or rectify the data. E.g. A list broker, different divisions in a company, etc.
- Right to object and/or to complain
- If the collection is voluntary or mandatory and the consequences, if any, of not providing the information.
- If data will be transferred to another country
Purpose and Retention of Data
Data “must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”.
Data should only be retained for as long as “necessary for achieving the purpose for which [it] was collected”.
Marketing is a legitimate purpose for the collection, retention and processing of data. Though please remember that there is a clear differentiation between e-communication (e-mail, SMS/MMS, fax) and other Direct Marketing approaches such as mail and telephone. The differentiation has a large impact on consent, but they all require for the consumer to be able to opt out at any time.
Consent is defined as - “any voluntary, specific and informed expression of will in terms of which permission is given”.
However it does of course come with its exceptions and these are:
- (11 b) “where processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party”;
- (11 f) “where processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom information is supplied”
Consent is ruled by two terms in Direct Marketing, “Opt-in” and “Opt-out”. Certain communication methods require Opt-in, Marketing by e-communications (email, sms, fax, automated calling machines) must have consent (“in the prescribed manner and form”).
1) Once to get consent, so long as the consumer has not “previously withheld such consent” (e.g. on the national opt out database);
2) If the data has been collected “ in the context of a sale”, then consent is considered given (soft opt in) for “similar products and services”
Different Channels Have Different Requirements
Often referred to as “sensitive” data, special data includes the following fields:
- Sexual Preference
- Criminal Record
- Trade Union Membership
Special data has an impact on your HR process as now consent will need to be acquired from the employee before recording this information as well as the relevant notifications given to the employee. This consent will also be required for existing staff contracts as well as past contracts or retirement data.
The Information Officer
Even though, in a court of law, the Directors and Board of a company are held to be liable, each entity must appoint an Information Officer who is responsible for the implementation of P.O.P.I. in the company. The Information officer can be a natural or juristic person, therefore allowing this function to be outsourced. You may also have more than one Information Officer and it is possible to have one for each division where necessary.
Do’s and Don’ts
- Inform customers that they may be on your database and they are invited to check (current thought suggests this can be done via a newspaper advert or making it publicly accessible).
- Create a check list of all notifications you need to give current and prospective clients.
- Do check all your current databases and consolidate into one.
- Update your database regularly, P.O.P.I. necessitates that the data must be up to date.
- Ensure your data is secure and cannot leave your ownership.
- Check your data against the national opt out database at www.nationaloptout.co.za
- Schedule regular data audits.
- Appoint an Information Officer.
- Have a code of conduct regarding data in your company.
- Keep unnecessary or old data.
- Create multiple databases.
- Misinform potential clients about the purposes of your data collection.
- Keep invalid or old data.
- Accept databases from disreputable sources.
- Ignore Opt-outs
- Conceal data breaches.
We hope you found this helpful and you can use it in future. Don't forget to share it with your colleagues and friends and give us a call
or drop us an e-mail
anytime you have questions. Good luck!
Click here to go back