Just a quick reminder that the provisions of the Protection of Personal Information Act (POPIA) go into effect on the 1st July. Technically, it came into effect last year, but it also granted a 1 year grace period to become compliant, and that grace period expires on the 30th of June 2021.
Failure to comply with certain of these regulations are punishable by either a fine, (not to exceed R10 Million) or imprisonment (not to exceed 10 years) or both.
Information Collection Under POPIA
The POPI Act doesn’t prevent you from collecting information about your customers. However, it does place considerable restrictions and responsibilities on how that data is used, stored, and disposed of.
It may not be shared with a 3rd party without consent, and it may not be used to send marketing materials without consent. (And this needs to be explicit “opt-in” consent. It’s no longer sufficient to automatically opt people in, or to include a clause in the terms and conditions that they agree to receiving promotions from you.)
Data For Purpose
Data may be kept and securely stored only for as long as necessary for the purpose of such data storage and retention to be carried out. However, this isn’t quite as straightforward as it sounds. If, for example, somebody was receiving your newsletter and unsubscribed (or asked you to remove them), it’s still necessary to keep their data so you can ensure you don’t accidentally start sending them stuff again.
The key thing here is to think carefully about what data you need, why you need it, and how you are going to use it. Based on those factors, you need to be able to justify your retention of the data or use thereof.
Explaining Your Data Policies
In order to be compliant, you will need to be able to explain to any client exactly what data you store about them, how you store it, where you got it, and what you do with it. The Act also requires that all businesses appoint an Information Officer, that you have a privacy notice that explains how you process such information, what you do with it, and how long you keep it for.
If you have a newsletter subscription form, it needs to explicitly say that you will be sending them promotions (or whatever) via email. If you’re going to SMS them as well, it needs to mention that too.
The objective of POPIA is not necessarily to stop information being supplied, requested or collected, but to ensure greater transparency and control over that information. It includes not only things like customer information, but also employee information. Technically, under POPIA, a company would need permission from applicants to retain a copy of their CV, for example.
The POPI Act is effectively trying to ensure that businesses deal with personal data responsibly, and that people are not taken advantage of by its misuse.