🔒 POPI compliance: your practical questions answered. ESSENTIAL READ

POPI is the acronym for the Processing of personal Information Act, a law that carries stiff fines for companies and jail terms for bosses who break it. POPI has been on the books for a while but it has taken many years for the government to give the green light for it to take effect. In this discussion with BizNews founder Alec Hogg, two of South Africa’s experts on POPI, Okyerebea Ampofo-Anti and Emma Sadleir, unpack the details of the legislation, sharing tips to help you navigate tricky legal terrain. This transcription is part two of a series. You can watch the full BizNews webinar here, too. – Editor

There’s a wonderful author that I had the privilege of seeing in London. His name is Jaron Lanier, who’s written a lot about these things, one of those gurus from Silicon Valley, and he’s also talking about things changing. It’s interesting to see that South Africa’s right up there, and we’re starting to get this human right – because it is. Which comes to Andrew Clayton’s question; he says how does it impact cold calling? Often I get cold called and when I ask the caller where they got my cell number from – I never get an answer. Are they given lists to call? I have no idea where or when they could have gotten my cell phone number from, because I do not share it. This is a question worth asking.

Data protection really governs electronic communications. So we’re really dealing with emails and sms’s. But in terms of what people are allowed to do with your data, if I go and sign up at a gym; that company is allowed to use my personal information for the specific purpose of my contract – so exercising my contract. What they cannot do is go and sell my information to another company. So we will see, I think, as a knock of POPI; a significant decrease in these cold calling, because people are going to be so scared to sell their database – which they shouldn’t be doing anyway – but because these fines are so significant, I think that we will see a huge decrease in the illegal behaviour of selling databases. 

What is my phone number or your phone number worth to somebody in a case like that? When you say that they have been selling it on, presumably they’re not going to do that after POPI, but at the moment and for the next year – they still can. 

Well, look, I’m not sure exactly from a monetary point of view or financial point of view what number we can put on your phone number, but we certainly know that it has a monetary value because the sale of these databases has been a huge part of direct marketing in the past several decades. So, it has a clear monetary value and that monetary value is going to be deeply affected. So, if you’re in that industry, of course, it’s going to be difficult. However, it doesn’t necessarily spell the death of direct marketing. It’s rather instructing you to reorganise the manner in which you run your business in such a way that it actually respects the rights of citizens of this country. It’s basically like saying to oil companies, ‘you can still run your oil company, but what you’re not allowed to do is pump unrefined oil from your reserves into fresh water when you’re done – it doesn’t mean your company can’t exist anymore’. It’s about the way you do it, in a way that actually respects the people that you’re dealing with. 

Here’s a question for you, Emma. Following up on what you were talking about with the Gautrain a little earlier. The question is; if I lose the company laptop, do our report as an individual or do I report it back to the company to report to the commissioner?

You would report it to your information officer within the organisation, and then they have a duty within specific time frames to report it to the Information Regulator. Those requirements are so important. I think that’s where we’ll see the fines and – if any jail time – jail time coming in. Because also, the reputational harm if you don’t disclose that there has been a breach… Reputation is everything in the digital age. Not just for individuals, but for companies as well, Non-compliance with POPI – the fines and the jail time should be terrifying enough, although probably fairly unlikely in South Africa at the moment. But the reputational harm is what I think companies should really, really be conscious of. 

I can just imagine from Biznews’ perspective: if we ever gave out phone numbers or email addresses of our community – it would be the death knell, because then everything you stand for – reputation wise – is gone. So, I guess, not everybody has the same kind of pressures on their businesses. But still, it does sound a little bit crazy. Anyway, here’s a question from Dina Chetty; does the Act give businesses time to put in place their systems and to appoint a personal information officer? I think you said it was a year – starting from? 

From the 1st of July, you have one year. So at the end of June next year – that’s the absolute final bell. 

I should chip in there just to say – and I think Emma kind of touched on it briefly earlier – that it’s really important to start now and to start as soon as possible. And when I say start now, it doesn’t mean that you have to be ready to go with some huge compliance programme on the 1st of July. But it’s important to start thinking about the process, to start developing a plan, to start building a team within the organisation that will run with it and so on. Because I’ll give you an example; I’ve been running a POPI compliance project since February for a company that has about 150 employees, and it’s also a local entity of an international organisation. So, we’re looking at both GDPR and POPI at the same time. 

But honestly, if I tell you how many hours I’ve spent on this from February until now – we are only now months later getting to the point where we’re about to complete the initial gap analysis, which is just looking at the organisation and making an assessment of where the issues actually are. The second half of the year is where we’re going to then get into implementation and putting all my recommendations into place. So this is not a quick exercise, because it requires looking at each and every single one of your business processes. So, I certainly wouldn’t recommend any attempt at dilly-dallying until the last moment. 

Get cracking now. Super – great insight. James Tub says; from a consumer’s perspective – does that mean we’re going to get less sms’s? We haven’t even touched on that – it’s bad enough from the call centres, but these sms’s that clog up your phone… 

So, that really will be significantly impacted by POPI. Unless you’re an existing customer, then they cannot contact you unless you’ve gone and opted in somewhere. And even if you are an existing customer and you get that sms – there must be an option on every single one of those sms’s to stop or to unsubscribe. And if you click on that – that has to be adhered to, otherwise, it’s a breach of the Act. 

Sue George wants to know; as employed individuals – how can we protect ourselves against legal implication? 

I think what’s important is that employees shouldn’t get too panicked about this, because the Act has what it calls ‘the responsible party’. I don’t want to get too technical, but basically the responsible party is the entity who has the obligations under POPI to comply with the Act. And that is the person who determines the purpose of and the means for the processing. Ultimately, what it boils down to is that your employer is in all likelihood going to be the responsible party under the Act who has the obligation. That means as an employee, you don’t necessarily need to be concerned that ‘if I do something in the course and scope of my employment, which leads to a breach, that I need to be worried that I will personally get a fine or personally go to jail’. That fine will go to your organisation. Of course, what you’re going to have to worry about is the organisational consequences, because if you have to wear your other hat as a business owner – one of the things that you will need to bring in is precisely this. Data handling processes, procedures and policies, including the consequences on employees when they fail to comply with those, and as a result, the organisation attracts a fine or some kind of regulatory action or reputational risk. 

A lovely follow up here from Carmen Anderson, who says; as a start-up ecommerce business – do I have to include a privacy policy statement on my website? If so, where can I find a generic one? Emma? 

Yes, is the short answer. You must have a privacy policy, and where you can find a generic one you could look at some of the other ones that are available on every other website in the whole world and focus on a company that is kind of similar to yours, certainly in the same jurisdiction as yours – you can get some guidelines there. It’s a fairly basic document – what needs to be included in that privacy policy, so it’s something that you should be able to do yourself. 

If I could just chip in there, Alec. What worries me about the question, and look – I’m a start-up business owner myself, so I understand where it’s coming from. But what’s really important to remember is that POPI compliance isn’t about a policy. It’s not about creating a policy and putting it on your website – and then there is my compliance; you come to my website, I’ve told you what I’m gonna do. It’s deeper than that. And the reality is that you are going to have to get to grips with how it affects your entire organisation and not just putting up a policy. And of course, there’s always challenges around being able to afford a consultant and that kind of thing. But as a small business owner, it’s really important to remember that every cent that you do not spend on a consultant at the beginning or even training yourself -attending things that you can afford to attend, free things like what you’re doing today. Every cent that you don’t spend on that is a cent that you’re going to spend at the end – when you’re in trouble and you need to get someone to bail you out of it. So, try to think of it that way. 

Murray Benadi wants your contact details. I’m sure we can put the email addresses when we publish the webinar. By the way, it is being recorded so it will be going onto YouTube afterwards. Graham Hill asks: is there or is there planned to be any precis of this complicated legislation to help small businesses understand what is required? There we go ladies – a great challenge for you. 

I’m not aware of any official precis. I’m sure lots of organisations are busy preparing ones as we speak, and I’m considering preparing one as well. But yes, I’m sure that they’re going to pop up over time. I don’t know whether the regulator will be preparing an official sort of summary or overview. 

I’m actually just looking at the Information Regulator’s website at the moment. I don’t see anything official there, but I would imagine that they should have it. There’s a reference to guidelines and code, but I don’t actually see it on the website. 

Yeah, and if they don’t have it now, it’s probably one of the things that they’re working on, because if you, for example (and this is actually a helpful tip, because Emma had mentioned how similar the various regulations are here in South Africa and in Europe), go to the Information Commissioner’s Office – the ICO in the U.K. – the U.K. ICO’s website, you’ll find that they have a very detailed guide to data protection. And if you actually read through that, it’s very easy to understand, relatively easy to understand and work through – they have lots of practical examples on all the different principles, which are very similar to the principles here. And I’m sure our Regulator will eventually come up with something like that, but for now, if you want to do some self-help – that’s a good starting point. 

Sol Gorren wants to know, what about robocalls? 

So that would fall directly within the Act, because as soon as you’ve got a robocall, then that is dealt with as an electronic communication rather than a phone call. So, absolutely – exactly what we were talking about with sms’s – same rules apply. 

Gail Strauss says, what about employee data and digital communication campaigns – they’re directed at employees?

So, when it comes to your employee data – your internal stakeholders, your employees are just as important and you are going to have to undertake a POPI compliance programme in respect of those as well. The good thing is that obviously it’s a lot easier because you have a direct channel of communication with them, you can amend your employment contracts to basically refer to POPI compliance etc. Also, you don’t need the consent of your employees to process their information because in terms of POPI; you can also process information based on what is known as legitimate interest, and because you have a legitimate interest as an employer in processing your employees information for all sorts of things, including communicating with them, paying them, laying them off, doing all sorts of different things with them – about 99 percent of the things you do with your employees will be covered by legitimate interest, in any event. 

So, it’s going to be a lot easier when managing your employees and, in fact, in the EU -consent when it comes to employees is is heavily discouraged, because what the EU regulators have said is that you can’t really have free consent by an employee, because the employee is in a situation of duress, vis-a-vis their employer. So their consent really means nothing. So consent is not the right way to go when you’re dealing with your employees.

I’ll just add to that that most processing of employee’s personal information can be justified on the basis of the employer’s obligation to fulfil the employment contract. So, where you’ve got that application – then all that processing can be done.

You’ve both very well positioned to answer this from a personal as well as a legal perspective. Karen Haus wants to know; any practical tips for entrepreneurs, small businesses and nonprofits on how to meet the requirement with limited resources?

You are going to have to engage in some self-help. The U.K. ICO guy that I talked about is a really important starting point that can help you. It is quite a lot of information to get through, but as I’ve said before, it’s a new way of life and there’s no way to get around the fact that you’re going to have to do the hard work to understand these principles. There’s a lot of free webinars and discussions that happen, like the one you’re attending right now, and I have no doubt that now that POPI is in force – there will be more of those kinds of things available. So, I would definitely recommend that you have a look online and subscribe to any of those kinds of free resources when they do come up. I found as a new business owner that subscribing to those types of free resources when they do come up often turn out to be really, really important and helpful. 

And then tips and tricks (like what Emma mentioned earlier) like, if you need to do a privacy policy for your website, you can go online and look at the hundred thousand other websites that are there and get a sense of what’s on there and kind of use it to help yourself to get a bit of a template going. If you are a customer of big organisations by banks and so forth, you will see that a lot of them have already gone through a compliance programme because it’s such a big organisation and they’ve got things like POPI notices in their terms and conditions.

You can have a look at things like that and try to see how you can replicate it in your own terms and conditions. I’m talking about absolute necessity – I don’t have a dime for a lawyer type of environment. This is not recommended practise, but those are the kinds of things you can do to start helping yourself. And then over and above that, you need to maintain good digital hygiene; practises like having an antivirus on your laptop, for goodness sake. Make sure that you install passwords and don’t make the mistakes around then using your dog’s name for your password. 

Basic, basic things like that can actually go a long way towards protecting your business from a hack and those types of things. So, yes, it’s complicated and it’s lengthy, but there are also a lot of really basic things that you can do to protect yourself. Make sure that if you’re going to use a cloud service provider to backup documents for your business, for example – use the ones that are known, use your G-suite, for example, which is very cheap for an entrepreneur like myself.

I use G-suite. You can find really reputable and good cloud service providers for backing up documents – I use one called Sync, which is really excellent and it’s very cheap. It even has a free version as well if you have very limited amounts of data. But don’t just go onto the Internet and pick random sites that say that they can do things for you for free for your business, because anything that is free on the Internet is using your data in all probability or your customers data or is not providing you with the kinds of protection that you really need. So, if you just start applying basic digital hygiene – it will actually go a long way towards compliance with things like POPI. 

So I’d like to add a couple of things. There’s a lot of talk about why POPI is important and then sending everyone off to just go and do their own work. The main things are; you need to appoint an information officer within your organisation, you need to make sure that you’ve got privacy policies, you need to raise awareness amongst your employees, use the information that you obtain from your clients for the purpose that you obtained it for. Store it safely. Okyerebea is talking about passwords and things, but if you leave your phone on the Gautrain and anybody can access that information – it’s a pretty obvious breach. 

Where there is a breach, you need to know that you need to report it. It’s not like you need to know every single word of the data breach section, you just need to note to yourself as a start-up; that where there is a breach, where the information that I’m holding of my customers and of my clients is leaked, is breached, is hacked – I have a duty to report. We can get to what that duty looks like further down the line. Check your contracts.

Particularly where you send any of your personal information to another company for any kind of processing, you need to check those contracts and make sure that they are POPI compliant. Consent is a bit of a magic wand when it comes to POPI. Keep thinking to yourself; have I got consent to do this? Have I got consent from the customer to do what I want to do with this information? It’s just like being a good person – we’re dealing with privacy here, and what POPI was brought out to do is to prevent harm. We don’t want to cause people harm, and how does information cause people harm? Well, if it lands up in the wrong hands – we’re dealing with identity theft, we’re dealing with people being victims of fraud because criminals out there have managed to access their personal information and you were the weak link. That’s not a nice feeling. 

So, we’re not saying go and take a degree in privacy law. What we’re saying is just absolutely learn the basics, and I think we’ve covered most of the basics. Appoint an information officer within the organisation, make sure everybody who works for you is aware that this thing exists – anytime we’re dealing with personal information. We’re not dealing with anonymised information -that might be something we haven’t talked about yet. As soon as the information doesn’t attach to a specific person, then we fall outside the realm of POPI. We’re dealing with anything that identifies a particular person; it could be their education, it could be their religion, it could be their philosophical beliefs, it could be their pregnancy status, their ID number. Any time we’ve got information about somebody, we have a duty to look after that information. It’s really as simple as that.