From 1 July this year, South African companies must be fully compliant with the requirements of the Protection of Personal Information Act (POPIA). This is the realisation of a process that began in 2013 with the government looking to introduce certain conditions for how personal information can be processed.
Whether it is a small boutique, a coffee shop, or even a creche, every business regardless of size or industry sector will be held liable if they do not adhere to these government regulations that focus on how personal customer information can be processed, amongst other things.
But what do you as a small business need to keep in mind about this legislation and how will it impact your approach to how they process customer data and generate leads?
“Being non-compliant is simply not an option. It can result in significant financial fines, reputational damage for a brand, paying out damages claims to those customers impacted, and even jail time for the small business owner. In today’s economic climate, no SME can afford for any of these things to happen. But with these smaller companies so focused on business survival, it has become difficult for them to manage the POPIA compliance process as well,” says Louise Robinson, sales director of CG Consulting.
“There are many resources businesses can explore that detail and introduce off-the-shelf POPIA toolkits, however when it comes to understanding the compliance needs of actual data, we know what is needed and how to process this within a business,” adds Robinson.
There are 3 simple things to remember when it comes to handling data, for marketing related purposes:
1. Acquire an opt-in
One of the most critical areas of POPIA is the need to get someone’s consent before sharing their information. While the opt-in approach has been gaining momentum in recent years, POPIA makes this a non-negotiable tactic. This even applies to how companies share personal customer information internally. For example, unless the customer has given express condition to do so, a business cannot even share the data between departments. This makes blanket marketing campaigns a challenge if not approached correctly.
“One of the most effective ways of eliminating any issues is to add a disclaimer to all marketing material and company forms that explicitly states what you are collecting information for. Already, many organisations have adopted the approach in the all too familiar sentence ‘you are consenting to receiving communication from XXX’. This tick box does not mean that a company can still approach the market in the same way as pre-POPIA days. It still requires a more targeted focus around how the data is used to personalise leads management,” says Robinson.
2. Understand database legality
For those companies who buy databases, it is now imperative that they use reputable service providers that ensure that people have given their consent to their data being sold. If not, the database is illegal, and both the company and the service provider will be held liable for non-compliance.
“Fortunately, most companies have already been adhering to direct marketing best practices to better target new leads and service existing customers. Things like creating quality content, keeping the number of marketing outreaches to a minimum, and maintaining a targeted approach are all elements that have set the basic standards in recent years. Having said that, more attention must be placed on clearly marking ‘opt-out’ or “unsubscribe” areas on newsletters and other forms of communication. What used to be considered spam is now considered non-compliant to POPIA and therefore illegal,” she says.
3. Protecting your data & Gaining existing customer permission
Those companies using existing databases must ensure all data is stored and protected from being downloaded and sold maliciously, which in turn can make the company liable if it gets into the wrong hands. Companies should be able to say where the data came from i.e. a competition, website or tradeshow that demonstrates clients’ permission to being sent marketing communication. If this is not in place, companies (or database service providers) must reach out to those customers and get that permission or remove them from marketing databases.
“Ultimately, POPIA comes down to taking ownership of your databases and personal information within a company, protecting your customer and internal databases from security breaches, understanding where all your data is from, where it is stored as well as having customer permission to use their information for marketing purposes. If this is not in place, then it does not matter if the company complies with all other aspects of POPIA, it will remain non-compliant,” Robinson concludes.
POPIA Data governance and regulatory policies are unique to South Africa. Other African countries also have their own set of data protection requirements which need to be investigated when doing business in Africa. Small businesses and any business that is managing personal information (whether customer or staff data) needs to adhere to various policies and procedures which need to be implemented by an owner/manager within the company.
Understanding the nuances of personal data associated with each country you are operating within is going to become imperative as businesses continue to trade and operate locally and globally.