As marketers and media professionals the forthcoming Protection of Personal Information (POPI) Act should be taken personally, particularly once such formal legislation is passed. While the timeline is not cast in stone and the process has a way to go before finalisation, we should not only keep a legal eye on it but must prepare our organisations to comply with best practice in how we handle the precious consumer asset of personal information.
POPI covers the processing of personal information that is entered in a record by/for a responsible party and by automated means, or non-automated means, is referenced in a filing system. Speaking at an IAS Masterclass, Danie Strachan from Adams & Adams covered pertinent answers to FAQs on the subject. We attended and here are some of our top line take-outs:
- POPI defines personal information as being personal information about a person and an “existing juristic person” or organisation. It includes biometric information in its definition, which is considered to be Special Personal Information (a category in which health and religion also apply).
- POPI will tell you what to do with and how to use personal information in your marketing. It applies to information that is featured in a record and which is organised to a system e.g. in a file or on a server.
- The Act will be aimed specifically at ensuring organisations don’t deal inappropriately with consumer information that is at risk of being abused. It will seek to give people knowledge about their processing of personal information; provide a framework for organisations handling of such information; and aim to protect against possible misuse of personal information.
BUT
- There is no privacy legislation currently. While some provisions came into effect on 11 April 2014 to create the watchdog regulator, there is no official Act passed as yet. A Cyber Crimes Bill is in place that covers the criminal component of identity theft but POPI will be for organisations that hold the personal information of a person.
- When the law kicks in there will be one-year phase in period. Compliance will very much be about disclosure of the personal information that you hold to that person.
- POPI will not apply in cases of personal or household activities; de-identified personal information; by public bodies; by Cabinet and Courts. It will also not apply to journalistic, literary or artistic purposes. But if you are one of these professionals, for this to apply you have to be a member of an organisation with a code of conduct with which you abide.
What will the impact of the legislated POPI be for marketers and advertisers?
- POPI will make marketers more precise. When asking people for personal information you will need to ensure that the information you request is adequate, complete and current.
- You must also have a specific purpose if you process personal information and need to ensure you keep to your original purpose.
- You cannot delay implementation. Start to prepare now and even build processes into current marketing and advertising process flow in your organisation, to ensure that personal information records are protected and that permission is sourced per use of every record.
- Consider that an Information Protection Officer will need to be appointed by corporate entities. Don’t delay preparing for and incorporating this role in your organisational structure and possibly appoint that professional already.
- Marketers and advertisers will have to be more careful in survey forms. Do not include asking for information that you don’t need for that specific brief or campaign, as this will create a compliance issue for you once POPI comes into effect.
- When it comes to using the personal information of children, marketers will require consent from the parent or guardian before using such records. Rather steer clear of such target audience strategies, as you will need to be exceptionally careful in such matters.
- Openness is paramount and each organisation needs to have a privacy policy which stipulates why the organisation needs to collect personal information and with whom this information may be shared.
- Data subject participation agreement will be critical. An opt-in system is non-negotiable and the administrative form of the regulator needs to be used in its current form for such agreements.
There it is in ebony and ivory! Contact E+I for more information on this subject. Let’s start a conversation to help get POPI onto your radar in a practical way.