POPIA: it’s not as scary as you think

Sep 15th, 2020

Right now, there’s a word that’s keeping many South African business executives awake at night – and it’s not Covid-19. While nobody was looking, POPIA, the Protection of Personal Information Act, came into effect on 1 July 2020, and it’s going to fundamentally change the way South African businesses deal with consumers’ personal information.

POPIA establishes a number of minimum requirements that businesses and other organisations must comply with when dealing with personal information: how they gather it, use it and protect it. This includes having to implement measures and procedures to secure that information.

These new requirements apply to every single entity in the country that processes any personal information, including all businesses. Businesses have 12 months to get their house in order, with fines of up to R10 million for non-compliance.

How will POPIA affect my business?

In truth, POPIA shouldn’t come as a shock to any business. Data security and compliance is a discussion we’re having with most of our customers anyway. It affects every business, and every part of the business – even to the extent of ensuring your suppliers and your staff are compliant as well.

POPIA will affect different organisations in different ways. Generally speaking, you’ll need to review your data collection and storage policies, and embark on a journey of making your entire company more data-savvy.

Your business may have to change its approach to customer information, and this is a conversation that has to be driven from the top downwards. If ever there was a time to spring-clean your information, this is it. Ask yourself: What personal information do we hold? How do we get it, and why do we have it? Is the consent we have valid under POPIA?

From a marketing point of view, you’ll have to rethink how you reach new customers. The days of buying a database, and bombarding them with your ads and marketing messages, are gone. Legally, your T&Cs documents will have to change. You can’t just have catch-all clauses: you actually have to get people’s express consent to gather, and use their data. And if they want to be forgotten, you have to let them go.

What’s the benefit for my business?

POPIA is a great opportunity for local businesses to overhaul not only their data policies, but their entire approach to data security, and go beyond mere compliance to create a source of trust and advantage with their customers.

Part of the challenge is that many companies still see data security and compliance as a cost, a grudge purchase or a box-ticking exercise. To us, it’s the exact opposite: it’s a saving, if you consider the staggering impact and cost of data breaches on companies.

Companies that get proactive about compliance are creating huge strategic advantages for themselves. Done properly, compliance makes your business more risk aware, more transparent to regulators and able to reduce operational costs.

So what do I do next?

Find out what’s legally required to keep your customers safe and keep their personal data out of harm’s way. At the same time, you’ve got to protect your business information, which is your source of competitive advantage.

But to make it work, you have to realise that data compliance and security is a continuous process, not a once-off event. You’ve got to plan ahead, and send a clear message throughout your organisation that you take data compliance and security seriously. It’s not just a question of installing a few firewalls and some bells and whistles: it’s a culture that has to be embedded and reinforced.

Ultimately, it’s a good idea to speak to an expert, or your managed business services provider, to assess the impact of POPIA on your business. That way, you can turn compliance to your advantage.

To learn more about the POPI Act an how it affects you, click here.