Simply put, the Protection of Personal Information Act (POPI) sets conditions for what companies can do with information about their customers.
The bill was passed by the National Assembly on 11 September 2012, with amendments approved on 20 August 2013. It has to be signed by President Jacob Zuma before it becomes law.
How the POPI Bill Can Harm Your Business
Businesses will only have one year from the commencement date to comply or face significant consequences, including a R10 million fine or 10 years in jail. If your business processes personal information, then you must comply with POPI.
What is the Protection of Personal Information Act – POPI?
“The intention of the Protection of Personal Information Act is to bring South Africa in-line with international standards of protection of personal information and will radically change the way in which both government and business deal with individuals’ private information,” says Charles Stretch, MD of SMSPortal.
Related: 7 Legal Pitfalls You Need to Avoid
How POPI Will Affect The Data You Collect
POPI protects personal information by restricting how it can be collected and used by a company, organisation or person, and sets out eight principles:
The responsible party (those who process the personal information) must ensure that all of the Act’s principles and the measures are complied with.
2. Processing limitation:
Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual. Personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.
3. Purpose specification:
Personal information must only be collected for a specific purpose and the individuals must be aware of this. Records must not be kept for longer than necessary to achieve the purpose for which it was collected.
4. Further processing limitation:
Further processing of the information must be compatible with the purpose of collection.
5. Information quality:
The holder of the data must take reasonable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while, taking into account the purpose for which the information was initially collected.
Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.
7. Security safeguards:
The responsible party must secure the personal information under their possession/control. Should a security breach occur, the responsible party must notify the subject whose information is compromised.
8. Data subject participation:
The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
POPI Will Make it Essential for Prospects and Customers to Agree to Receive Your Communication
Stretch points out, “Specifically relating to the running of SMS marketing campaigns, direct marketers cannot use personal information for direct marketing unless they have the consumer’s permission. In the case of a direct marketing organisation, they must have ‘opted in’.”
The consumer can “opt-in” in one of two ways:
1. Firstly, the consumer can give his or her explicit consent to receive direct marketing.
- This would ideally be obtained when the information is collected, but a direct marketer can also approach the consumer for consent later. If it does this, it can only approach the consumer once for consent.
- A direct marketer must get a consumer’s contact details in the first place to approach the consumer for consent. Unless these contact details were in the public domain, such as a telephone directory, merely obtaining the contact details could be an infringement of POPI.
- For example, if a direct marketer received a list of individuals and their contact details from a company that collects and sells marketing information, the data vendor would itself have infringed POPI by passing the list on to the direct marketer, even if the direct marketer never actually uses any of the information contained in the list. Unless the individual specifically consented to their information being passed on.
2. Secondly, if the consumer is a customer of the direct marketer (and not of anyone else) then the direct marketer can use their information for direct marketing ONLY if:
- The data was obtained in the context of the sale of a product or service, and
- The direct marketing will be in respect of the marketer’s OWN similar goods/services, and
- The consumer has been given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected and on each occasion when direct marketing is made to the consumer.
POPI infringement: The Consequences Will be Harsh
POPI makes provision for enforcement notices to be served on those infringing the data protection principles or the direct marketing provisions of POPI. Failure to comply with an enforcement notice is an offence, and on conviction may lead to a fine, up to 10 years in prison, or both.
Perhaps more seriously, says Stretch, if a data subject suffers any loss as a result of an infringement, the responsible person will be strictly liable for this loss. In other words, it does not matter if the responsible person was negligent, or acted intentionally in infringing POPI – if the infringement caused loss to the consumer, the responsible person is liable.
Further Reading on POPI
Read up on the Protection of Personal Information Act (POPI) sets conditions for what companies can do with information about their customers.