Although promulgated into law in 2013, the Protection of Personal Information Act, (or POPI Act) has been in only limited effect for the past 7 years, never really going past the point of setting up the office of the Regulator as envisaged in the Act.
As a result, although the framework has been there, the actual regulations as specified by the Act have never been enforced, or even “activated.”
All that is about to change though.
POPI Effective As Of 1st July 2020
According to a statement released by the President this Monday, (23 June 2020) the POPI Regulations will come into force on the 1st of July this year, and businesses have 1 year from that date to ensure that they are POPI compliant, or face fines of up to 10 million Rand, depending on the scale of the business and severity of the offence.
The essential component of POPI is that all forms of marketing communication must be opt-in, and that only first person data, (data supplied by the customer themselves, and with the explicit acceptance of receiving such communication) may be used. (Other tenets include limitations on the purposes for which such data can be used, and limits on how long data can be held by the company, amongst others.)
Implications For Business
In theory, the implications for some businesses could be significant. It’s expected for example that the entire cold calling, spam sms, and related direct marketing sphere will be severely curtailed by this, and with potential fines of up to R10 million, there could be severe repercussions for companies reported to the regulator.
In practice, it doesn’t need to be quite as bad, but it is critical that you start transitioning to 1st party data as soon as possible, and that means getting opt-in from your database of contacts, in the event that you do not already have them. No more buying databases from 3rd parties or anything like that either, if you had ever done so in the past.
Another thing you will need to do if you engage in keeping client data for communications purposes is appoint an Information Officer, (if you have not already done so in accordance with the Promotion of Access To Information Act of 2000 of course).
But the most important thing you need to do is to make sure that your data collection, storage and processing policies are in place, and compliant with the legislation.
You can get your own copy of the POPI Act of 2013 by following this link, and clicking on the download button: Protection of Personal Information Act.