The Protection of Personal Information Act has been passed by the National Assembly and at the time of going to print was waiting for the President to sign it in to law.
What does this mean for your business? Entrepreneur caught up with information governance specialist, lawyer and contributor to the Act, Francis Cronjé, to find out what’s in store for SA businesses.
New legislation takes time to come into effect. What are we looking at with POPI?
Realistically, it could be another 18 to 20 months before organisations are forced to comply with POPI. Once the Act is signed, a regulator will need to be appointed, and only then can the new legislation be monitored.
This all takes time. However, I believe the reputational risk facing companies is far greater than the regulatory risk, and that will come into effect almost immediately, especially as consumers begin to educate themselves on their rights, particularly that they have a right in determining what their information is being used for, how it is to be handled and under what circumstances they might object to the way it is processed.
How does this impact marketers that use lists for prospecting?
To be honest, you’ll have to change your strategy, approach and way of doing business. POPI doesn’t prevent anyone from marketing to or prospecting for new customers, but it does affect the way in which this is done.
The proposed legislation will provide checks and balances when processing personal information and some of those relate directly to marketing.
In what way?
For example, you’re not allowed to contact someone via cold calling, SMS or email if those contact details were not lawfully obtained. One lawful way of collecting data could be through the use of public registers.
But, those registers might have certain limitations as to what data might be used for, and you need to be aware of what those are. Secondly, you will also have to ensure that you act within the ambit of the Consumer Protection Act.
There are specific instructions on what are considered to be appropriate days and times for making these calls. You can’t SMS someone in the middle of the night for example, even if you lawfully hold their details.
What is best practice for collecting data?
In a nutshell, you need prior consent. This can take one of two forms: At the point of sale you can ask your customer if they would like to receive promotional information from you or third party distributors and suppliers.
Any subsequent contact must include a specific opt-out option, but you can now lawfully contact these prospects. A second scenario is that if you buy something from me, I can now consider you a customer and send you marketing that relates to similar products to what you bought. However, I must provide you with an opt-out option.
How does this differ from current best practice?
Essentially it shouldn’t. The Consumer Protection Act together with the Electronic Communications Act already laid the foundations for consumer protection. Europe has followed these guidelines for almost two decades, and consumers have become a lot more vocal in opting in, opting out, and wanting to know how companies obtained their information.
Businesses that have paid close attention to best practice in Europe and Australia would have already started changing the way they obtain client information and what they do with it, and this goes back to reputational risk.
Scrupulous companies understand how important it is to only approach consumers who want to be contacted. If you’re unscrupulous in how you obtain personal information, and in what you do with it, there’ll be a consumer backlash, and this will hurt your brand.
What are the worst and best case scenarios with POPI’s legal implications?
The worst case scenario is that you can end up in jail, while at its best, POPI compliance could be utilised as a market differentiator. In both cases you need to understand the spirit of the law.
Let’s use identity theft as an example. There are serious implications for the handling of personal information. Marketing is just one small part of this, but of course it’s an important part and shouldn’t be ignored. As long as you have the best interests of your consumers in mind, you can differentiate yourself as a trusted source and holder of contact details.
- Player: Francis Cronjé is the MD of franciscronje.com, an advisory firm providing professional assistance and advice on information governance to organisations, irrelevant of size or regulatory shape.
- Contact: www.franciscronje.com