(Source: Entrepreneur Magazine)
The intention of the Protection of Personal Information Act is to bring South Africa in line with international standards of protection of personal information and will radically change the way in which both government and business deal with individuals’ private information,” says Charles Stretch, MD of SMSPortal.
How POPI Will Affect The Data You Collect
POPI protects personal information by restricting how it can be collected and used by a company, organisation or person, and sets out eight principles:
The responsible party (those who process the personal information) must ensure that all of the Act’s principles and the measures are complied with.
2. Processing limitation
Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual. Personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.
3. Purpose specification
Personal information must only be collected for a specific purpose, and the individuals must be aware of this. Records must not be kept for longer than necessary to achieve the purpose for which it was collected.
4. Further processing limitation
Further processing of the information must be compatible with the purpose of collection.
5. Information quality
The holder of the data must take reasonable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while, taking into account the purpose for which the information was initially collected.
Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.
7. Security safeguards
The responsible party must secure the personal information under their possession/control. Should a security breach occur, the responsible party must notify the subject whose information is compromised.
8. Data subject participation
The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
POPI Will Make it Essential for Prospects and Customers to Agree to Receive Your Communication.
Stretch points out, “Specifically relating to the running of SMS marketing campaigns, direct marketers cannot use personal information for direct marketing unless they have the consumer’s permission. In the case of a direct marketing organisation, they must have ‘opted in.'”
The consumer can “opt-in” in one of two ways:
1. Firstly, the consumer can give his or her explicit consent to receive direct marketing.
- a. This would ideally be obtained when the information is collected, but a direct marketer can also approach the consumer for consent later. If it does this, it can only approach the consumer once for consent.
- b. A direct marketer must get a consumer’s contact details in the first place to approach the consumer for consent. Unless these contact details were in the public domain, such as a telephone directory, merely obtaining the contact details could be an infringement of POPI.
- c. For example, if a direct marketer received a list of individuals and their contact details from a company that collects and sells marketing information, the data vendor would itself have infringed POPI by passing the list on to the direct marketer, even if the direct marketer never actually uses any of the information contained in the list. Unless the individual specifically consented to their information being passed on.
2. Secondly, if the consumer is a customer of the direct marketer (and not of anyone else) then the direct marketer can use their information for direct marketing ONLY if:
- a. The data was obtained in the context of the sale of a product or service, and
- b. The direct marketing will be in respect of the marketer’s OWN similar goods/services, and
- c. The consumer has been given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected and on each occasion when direct marketing is made to the consumer.
POPI infringement: The Consequences Will be Harsh
POPI makes provision for enforcement notices to be served on those infringing the data protection principles or the direct marketing provisions of POPI. Failure to comply with an enforcement notice is an offence, and on conviction may lead to a fine, up to 10 years in prison, or both.
Perhaps more seriously, says Stretch, if a data subject suffers any loss as a result of the infringement, the responsible person will be strictly liable for this loss. In other words, it does not matter if the responsible person was negligent, or acted intentionally in infringing POPI – if the infringement caused loss to the consumer, the responsible person is liable.
- 1. Ensure that your company is properly set up and registered in order to protect you against personal liability.
- 2. Every transaction has a tax consequence. Make sure you understand what these consequences are. If you are not sure, it is worth investing in a consultation with a tax specialist.
- 3. Do not make promises or commitments in writing if you are not completely committed to honouring them. Always assume that what you say in an email or text message is as legally binding on you like a signed agreement.
- 4. As soon as there is more than one shareholder or member of the business, all parties involved should sign an agreement to govern their relationship. Make sure you address the following aspects: how profits are shared and paid out; how new partners/shareholders can be brought into the business; who will fund the business; and how and when loans will be repaid.
- 5. If your business supplies goods or services to the public, know what your obligations are in terms of the Consumer Protection Act.
- 6. Avoid signing personal surety, especially a covering surety, since it cancels the benefit of limited liability that trading through a company provides. Instead, consider other forms of security such as a bank guarantee.
- 7. If you are selling your business, do not forget that your employees must transfer to the buyer and cannot simply be retrenched. Also, remember to transfer your rights and obligations under the business’ contracts to the buyer. If you do not transfer the contracts to the buyer, you will remain liable under those contracts.