It is essential that all businesses — big and small — take special care to understand the implications of the POPI Act since it affects everyone. For consumers, taking note of the Act is important since it is, after all, about protecting their personal data.

However, the Act has been causing confusion for businesses and consumers alike, which is why it has been delayed since 2016. Additionally, many marketers have a lot of new rules to take into consideration.

So, let’s take a look at the basic goal of the Act; it aims to encourage the protection of personal information that is processed by both public and private bodies. Basically, the Act a code of conduct that all businesses must comply with, or else they can land themselves in some hot water by getting fined or running the risk the ruining their brand’s image

Here, Dario Milo, a partner in the Dispute Resolution Practice at Webber Wentzel, helps us clear up any misunderstanding:

How does the POPI Act affect small businesses, especially those formed during Covid-19?

Small businesses — indeed all businesses — will be obliged to be compliant with POPI by 1 July 2021. As a basic, they will have to identify where personal information is stored, how it is processed, who has access to it and why it is being stored or used.

Many businesses might have already had such systems in place. But, for businesses formed during Covid-19, this may mean adapting within a short amount of time.

How should brands store data and ensure the privacy of clients on their servers?

If a company is storing client data on its servers, and doing so as a responsible party under POPI, it must ensure that appropriate security safeguards are in place to protect that information.

A brand must take appropriate, reasonable, technical and organisational measures to prevent loss, damage, unauthorised destruction of/or unauthorised access to that information.

How can brands ensure that they’re compliant?

'Personal information' is defined very widely in the Act, and so much of what a company does will involve processing this data in some way or another. The most important priority, in my experience, is to safeguard the security of the data you are storing.

But more than that, you will need to do an audit of the data stored to ensure your processings is justified under POPI. It is a complex piece of legislation with many onerous obligations, but also many exceptions to the rule.

What can businesses do to save themselves during a data breach?

Some data breaches are almost impossible to prevent — even when you follow the best practices in the world.

You need a crisis response strategy and [your brand] needs to play open cards with your employees, customers and the regulator. If a data breach happens, you need to restore trust — and transparency and trust go together.

What should the public really understand about POPI?

Consumers can now be more certain that they will have easy and cheap remedies if their data is not being protected and processed lawfully.

Where they are sharing their data with anyone, there will be obligations on the recipient of the data to take your data seriously — to take steps to protect it and to not abuse the trust you have placed in the recipient by playing fast and loose with your personal information.

What should brands be looking out for when they visit online/digital sources?

Everyone should study website terms and conditions, or app terms and conditions — in particular how the website or the app treats your private information.

Ultimately, consent to the use of your information is a defence: So, if Facebook says you permit it to access your profile information, you are granting it consent to do so by participating in the platform.

Be careful how much data you share on social media sites — and remember your data is likely the quid pro quo for you being allowed to use the service.

What are the gaps that need to be closed by the POPI Act?

Whilst the legislature provided a year within which to comply with the Act for practical reasons (i.e. to enable companies to implement systems in compliance with the Act), the measures mandated by the Act should be implemented across the board as soon as possible.

One area that we will hopefully see improvements on is direct marketing — POPA has some strict requirements for when you can market directly to your customers and those who are not your customers.

How should brands comply with POPI when it comes to direct marketing?

Ultimately, companies will need to interrogate the lists they have to ensure that they have consent to market directly. If it’s a customer and the direct marketing is for the company's similar products, they’ll also need to look at the lists — provided the customer has an opportunity to opt out.

If they don't have consent, and the person is not a customer, POPI allows the person to be approached only once to see if the person will consent to the marketing.

What are the consequences of not complying with the Act after 30 June 2021?

Failure to comply may result in a complaint to the regulator (who ultimately has the power in some cases to impose a maximum fine of R10-million) and there can also be civil proceedings based on strict liability brought against the responsible party.

Are you excited about what the POPI Act is aiming to do for consumers? Be sure to let us know in the comments section below.

Want more content like this? Then why not subscribe to our newsletter?

If you want to go back to basics surrounding this law, then be sure to read The POPI Act: A quick refresh of the details.