Be comprehensive on the uptake of POPIA compliance

The Protection of Personal Information Act (POPIA) will serve companies new lessons in how to legally process people’s data. Make sure that lessons are all you get served as companies have until 1 July 2021 to fully comply with the Act.

Marketers must understand the granular details of what POPIA entails and its impact at every level – from corporate policy to consumer engagement. Review how your company processes, stores, uses, and destroys personal information because digital migration has become a glaring reality for South Africa, and so has the prevalence of data breaches.

The Protection of Personal Information Act (POPIA), officially enforced on 1 July 2020, was put in place to promote the protection of personal information processed by public and private bodies. As your company grasps the ins and outs of the Act, you will be introduced to conditions that will establish minimum requirements for the processing or collection of personal information.

POPIA will provide the establishment of an Information Regulator to use certain powers and perform specified duties aligned with terms of both this legislation and the Promotion of Access to Information Act (PAIA). It will provide the issuing of codes of conduct, while regulating the flow of personal information across the borders of South Africa and bring to light people’s rights regarding unsolicited electronic communications and automated decision making.

Activate the protective upside of the Act

The ultimate keyword related to POPIA is protection of all parties and in particular, of what is considered to be the personal information of the individual. From a corporate perspective, a compliance reduces the risk of facing legal penalties should there be any kind of data breaches. When you capture data accurately, securely, and without being too intrusive, you will also come across as more reliable when compared to your competitors.

There are three questions to guide you on the path to compliance. These will enable marketing and communication custodians to define “personal information” and understand the implications of dealing with such information as an important consumer asset, and then to comprehend how to process and protect such details.

What is Personal Information?

Defined, it means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a person;
  • Information relating to the education or medical, financial, criminal or employment history of a person;
  • Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to a person;
  • The biometric information of a person;
  • The personal opinions, views, preferences of a person;
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Since this is information that has been a standard feature during personal information capturing, it means that companies can only process this information with the knowledge and permission of the individual. This information according to the POPI Act needs to be managed properly and must be secured at all times.

What does this mean for your company?

As a company, before you obtain, retain and process personal information for communication or any other purpose, you need to receive consent from each individual.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

Failing to comply with the requirements of the Act could result in dire consequences. Since the POPI Act has strict regulations, companies need to comply with because failure to do so can see offenders being fined or even serve jail time – and each business has 12 months (from 1 July 2020) to fully comply with this Act.

Marketers must understand the granular details of what POPIA entails and its impact at every level – from corporate policy to consumer engagement. Review how your company processes, stores, uses, and destroys personal information because digital migration has become a glaring reality for South Africa, and so has the prevalence of data breaches.

The Protection of Personal Information Act (POPIA), officially enforced on 1 July 2020, was put in place to promote the protection of personal information processed by public and private bodies. As your company grasps the ins and outs of the Act, you will be introduced to conditions that will establish minimum requirements for the processing or collection of personal information.

POPIA will provide the establishment of an Information Regulator to use certain powers and perform specified duties aligned with terms of both this legislation and the Promotion of Access to Information Act (PAIA). It will provide the issuing of codes of conduct, while regulating the flow of personal information across the borders of South Africa and bring to light people’s rights regarding unsolicited electronic communications and automated decision making.

Activate the protective upside of the Act

The ultimate keyword related to POPIA is protection of all parties and in particular, of what is considered to be the personal information of the individual. From a corporate perspective, a compliance reduces the risk of facing legal penalties should there be any kind of data breaches. When you capture data accurately, securely, and without being too intrusive, you will also come across as more reliable when compared to your competitors.

There are three questions to guide you on the path to compliance. These will enable marketing and communication custodians to define “personal information” and understand the implications of dealing with such information as an important consumer asset, and then to comprehend how to process and protect such details.

What is Personal Information?

Defined, it means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a person;
  • Information relating to the education or medical, financial, criminal or employment history of a person;
  • Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to a person;
  • The biometric information of a person;
  • The personal opinions, views, preferences of a person;
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Since this is information that has been a standard feature during personal information capturing, it means that companies can only process this information with the knowledge and permission of the individual. This information according to the POPI Act needs to be managed properly and must be secured at all times.

What does this mean for your company?

As a company, before you obtain, retain and process personal information for communication or any other purpose, you need to receive consent from each individual.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

Failing to comply with the requirements of the Act could result in dire consequences. Since the POPI Act has strict regulations, companies need to comply with because failure to do so can see offenders being fined or even serve jail time – and each business has 12 months (from 1 July 2020) to fully comply with this Act.

Marketers must understand the granular details of what POPIA entails and its impact at every level – from corporate policy to consumer engagement. Review how your company processes, stores, uses, and destroys personal information because digital migration has become a glaring reality for South Africa, and so has the prevalence of data breaches.

The Protection of Personal Information Act (POPIA), officially enforced on 1 July 2020, was put in place to promote the protection of personal information processed by public and private bodies. As your company grasps the ins and outs of the Act, you will be introduced to conditions that will establish minimum requirements for the processing or collection of personal information.

POPIA will provide the establishment of an Information Regulator to use certain powers and perform specified duties aligned with terms of both this legislation and the Promotion of Access to Information Act (PAIA). It will provide the issuing of codes of conduct, while regulating the flow of personal information across the borders of South Africa and bring to light people’s rights regarding unsolicited electronic communications and automated decision making.

Activate the protective upside of the Act

The ultimate keyword related to POPIA is protection of all parties and in particular, of what is considered to be the personal information of the individual. From a corporate perspective, a compliance reduces the risk of facing legal penalties should there be any kind of data breaches. When you capture data accurately, securely, and without being too intrusive, you will also come across as more reliable when compared to your competitors.

There are three questions to guide you on the path to compliance. These will enable marketing and communication custodians to define “personal information” and understand the implications of dealing with such information as an important consumer asset, and then to comprehend how to process and protect such details.

What is Personal Information?

Defined, it means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a person;
  • Information relating to the education or medical, financial, criminal or employment history of a person;
  • Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to a person;
  • The biometric information of a person;
  • The personal opinions, views, preferences of a person;
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Since this is information that has been a standard feature during personal information capturing, it means that companies can only process this information with the knowledge and permission of the individual. This information according to the POPI Act needs to be managed properly and must be secured at all times.

What does this mean for your company?

As a company, before you obtain, retain and process personal information for communication or any other purpose, you need to receive consent from each individual.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

Failing to comply with the requirements of the Act could result in dire consequences. Since the POPI Act has strict regulations, companies need to comply with because failure to do so can see offenders being fined or even serve jail time – and each business has 12 months (from 1 July 2020) to fully comply with this Act.

Marketers must understand the granular details of what POPIA entails and its impact at every level – from corporate policy to consumer engagement. Review how your company processes, stores, uses, and destroys personal information because digital migration has become a glaring reality for South Africa, and so has the prevalence of data breaches.

The Protection of Personal Information Act (POPIA), officially enforced on 1 July 2020, was put in place to promote the protection of personal information processed by public and private bodies. As your company grasps the ins and outs of the Act, you will be introduced to conditions that will establish minimum requirements for the processing or collection of personal information.

POPIA will provide the establishment of an Information Regulator to use certain powers and perform specified duties aligned with terms of both this legislation and the Promotion of Access to Information Act (PAIA). It will provide the issuing of codes of conduct, while regulating the flow of personal information across the borders of South Africa and bring to light people’s rights regarding unsolicited electronic communications and automated decision making.

Activate the protective upside of the Act

The ultimate keyword related to POPIA is protection of all parties and in particular, of what is considered to be the personal information of the individual. From a corporate perspective, a compliance reduces the risk of facing legal penalties should there be any kind of data breaches. When you capture data accurately, securely, and without being too intrusive, you will also come across as more reliable when compared to your competitors.

There are three questions to guide you on the path to compliance. These will enable marketing and communication custodians to define “personal information” and understand the implications of dealing with such information as an important consumer asset, and then to comprehend how to process and protect such details.

What is Personal Information?

Defined, it means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of a person;
  • Information relating to the education or medical, financial, criminal or employment history of a person;
  • Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to a person;
  • The biometric information of a person;
  • The personal opinions, views, preferences of a person;
  • Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Since this is information that has been a standard feature during personal information capturing, it means that companies can only process this information with the knowledge and permission of the individual. This information according to the POPI Act needs to be managed properly and must be secured at all times.

What does this mean for your company?

As a company, before you obtain, retain and process personal information for communication or any other purpose, you need to receive consent from each individual.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

Failing to comply with the requirements of the Act could result in dire consequences. Since the POPI Act has strict regulations, companies need to comply with because failure to do so can see offenders being fined or even serve jail time – and each business has 12 months (from 1 July 2020) to fully comply with this Act.

Be clear on communication purpose

Remember, an individual can withdraw their consent to use their personal information at any given time. Ensure that personal information is ONLY collected directly from the person to whom it belongs. It is your responsibility to make sure your customers are made aware of the purpose behind the processing of personal information. In this case, openness is of paramount importance.

Adhere to processing limitations

Personal information must be handled lawfully, and in a reasonable manner that does not infringe on the privacy of an individual. Your business processes should provide a specific reason for processing personal information and the collection of data should be proportionate to the purpose, and lastly, the said purpose must be legitimate.

Keep use of information minimal

Personal information may only be processed if given the purpose for which it is processed, and the processed data should be adequate, relevant, and non-intrusive or excessive. Albeit this is a broader communication rule of thumb as why would a brand want to resort to nagging (read: spamming) customers.

Whether you are the Information Officer appointed to ensure compliance with POPIA or a marketing intern, an agency or in-house team, this legislation is not put in place to scare the custodians of people’s personal data. It is there to help us be accountable guardians as we identify, clean-up and manage personal information better.

Keep an eye on the Ebony+Ivory website and social pages for updates, as well as the implications for your business and brand, as it unfolds.

SHARE THIS ARTICLE