With the advent of the Protection of Personal Information (POPI) act, retailers have to be prepared to deal with customers’ questions about the type and amount of personal information that they are collecting, why they are collecting it and how they intend to protect it against abuse.
What is personal information?
First of all, we should be aware of what constitutes personal information. POPI provides a wide definition because this could include diverse forms of data, ranging from addresses, ID numbers, cell phone numbers, biometrics and even personal views on certain issues.
It also differentiates between “normal” personal information, special personal information (such as information about health) and children’s personal information – all of which have different rules that will apply to the processing of the personal information.
There isn’t a defined list of information that retailers are prohibited from collecting, but as a rule of thumb, any business should only collect what is necessary for them to achieve a specific purpose – which should be communicated to customers or potential customers.
Related: Protect Your SME From PoPI
A good example of that would be the use of ID documents to verify a customer’s identity. The retailer has to justify why he or she should be entitled to collect the information.
For example, do they really need a copy of a customer’s ID document or is it sufficient for that customer to merely display the document? If they don’t need a copy, why keep it? And even if they can justify why they need a copy of such a document, they should only use if for the purpose they originally collected it for, e.g. a credit check.
Should they wish to use the information for any other purpose, they will need to notify the customer.
You need customers’ consent
Consent as such does not always have to be given in written format, as “it won’t always be practical to gain written consent.
For example, if a supermarket has a lucky draw box on the counter where customers could place their till slip with a phone number to enter into the competition, they won’t want a customer to fill in a lengthy permission form – but they will only be able to use the information for entry into the draw.
Any other purpose will need to be specified explicitly. It is important to bear in mind what the expectation of the individual would be – what can the retailer use the information for?
Similarly, if a customer has signed up for a loyalty program, the retailer is entitled to track their purchases and use it to promote products in the future based on buying behaviour – provided that they received consent to do so when the customer signed up or notified the customer that the information would be used for that purpose.
Communicating with your customers
Of course, not all retailers’ communication occurs in-store. Many retailers frequently communicate with their customers via social media platforms such as Facebook.
Social media has meant that many customers make information publicly available. The fact that information has been made publicly available does not mean that POPI in its entirety won’t apply.
If the company wishes to collect data via their Facebook page, they would still be responsible for securing and protecting that data once they start processing it, and they would still have to limit their use, disclosure and retention of that information in line with the purpose for which they collected it.
Keeping the information secure
Naturally, security is a large concern for retailers, many of whom frequently receive and retain sensitive hard copy information, such as credit card slips. Retailers would have to retrain their employees in preparation for POPI.
There isn’t an exact list of specific measures to be implemented, but retailers would need to review their current processes and educate their staff about the importance of safeguarding personal information, for example, they would need to ensure their staff understand that items such as credit card details can’t be left in full view of anyone, but should be locked away.
One needs to consider it from a practical point of view and educate staff members with reference to practical examples.
Impact on HR
POPI also has implications for future HR activities. These will for example include revising current policies and employee contracts.
Although this may be a costly exercise, most retailers – rightfully – see the Act as a positive introduction to their systems. Most retailers understand that the misuse of customer information will have serious reputational consequences.
And it is necessary to create awareness around staff members to focus on how they use personal information. Responsible use is key!