PoPI and your business – Ignorance is not bliss, the risks are real

The implementation of the Protection of Information Bill (PoPI) will introduce many new business risks .

March 13, 2013

By Archie Marincowitz, Technology Enablement Sales Manager, IQ Business Group

In September last year, the Protection of Personal Information Bill (PoPI) was passed by the National Assembly and the President is expected to rubber stamp it soon – but why should you care about it?

Once it becomes law, PoPI will dictate how and what personal information can be used, and how it must be stored securely, and will force companies to tell people if their information has been compromised. It will require companies that store, collect or process personal information to comply within one year. This means that if you store any information about people or organisations, even your own staff, this legislation affects you.

Business processes
For most businesses, this draft legislation will have significant operational, technical and financial impacts. However, preparing for PoPI is not just a project, it will change the way your business operates, specifically the processes and methods you use to handle personal information.

Here are some issues you should consider:

  • All hands on deck – The buck no longer stops with IT. Everyone across the business changes – client facing executives, administrators, receptionists, security personnel and management – will all need training and a clear understanding of policy and procedure.
  • Take stock – You will have to clean up all databases to check the information stored for each person. Customers will be within their rights to ask you to provide all the personal information you have on them. Pulling together the information across multiple departments and data sources will be a nightmare, especially for those who store and maintain their data across multiple Excel files.
  • Goodbye to the kitchen sink – You will have to limit the use of personal information you collect and only keep this information for as long as you need it. The type of information stored needs to be specific to the transaction, e.g. you can only store personal information regarding someone’s religious or philosophical beliefs, if you are a spiritual or religious organisation to which such person belongs.
  • Consent is key – You have to inform consumers that you have their information, how you got it and what you are going to do with it. The Bill recognises numerous ways of getting personal information and reasons for keeping and using it, but having the consumer’s informed consent is best practice.

Marketing and communications become a business risk
PoPI intends to regulate direct marketing and specifically speaks to electronic communications with the aim to cut down on spam. Electronic communication is defined in the Bill as being “not limited to” automatic calling machines, faxes, SMSes and e-mails.

Direct marketing is already a risky business area as unsolicited communications can damage your brand’s image beyond repair. Consumers have more collective power now because of the social media platforms available to them and if they feel that you are spamming them, they are able to complain very publicly.

With the imminent introduction of PoPI however, the potential reputational risk is increased. You will have to develop strategies to ‘legalise’ the personal information you already have and how you will ensure that the information gathered from today onwards is legal.

Additionally, when promoting products or services to existing customers, your communications will have to be limited to products and services similar to those already sold to the customer. This may mean having to separate customer databases according to product types, adding a layer of technical complication. Your customers are to have the usual opt-out rights but will also be able to report infringements to a new Regulator.

Infringement
The Bill introduces a new Regulator, the Information Regulator. The Regulator will be able to investigate businesses on its own and respond to complaints from the public. The legal risks, in addition to the potential legal costs, include criminal sanctions. The Information Regulator may impose fines of up to R10 million and or imprisonment.

If you are found to be in contravention of PoPI, the Information Regulator will serve a compliance notice and allow you a limited time to correct your behaviour. Changing the way you gather, store, disseminate and protect personal information can be enormously complicated, but doing it under pressure, under the Information Regulator’s watchful scrutiny, may be more expensive than doing it on your own time. This increases the risk of operational costs.

Perhaps more seriously, if a customer, employee or other data subject suffer any loss due to an infringement, you will be liable for this loss whether or not you were negligent, or infringed the PoPI requirements intentionally.

Don’t wait and see
A PoPI compliance project typically starts with analysis to identify the information you work with and related risks. Thereafter an action plan is created to change the related business processes to mitigate these risks.

We believe that the sooner you start, the more business value can be derived through your PoPI compliance project. Align marketing messages informing your clients, partners and the market of your affinity for their privacy, enhancing your brand and reputation.

Add to this the breathing space you gain by starting early, which can be used to make better project prioritisation decisions (based on business value and risk), will go a long way to ensuring compliance sooner, good governance and reduced waste typically associated with last minute projects.