How Do You Know if Your Ecommerce Business is Compliant?
What is The POPI Act?
The POPI (Protection of Personal Information Act) Act of 2013 (also called POPIA) is a piece of legislation introduced to try and protect the constitutional right to privacy by implementing rules designed to protect private information.
According to Section 7(2) of the South African constitution:
“Everyone has the right to privacy, which includes the right not to have: (a) their person or home searched; (b) their property searched; (c) their possessions seized; (d) the privacy of their communications infringed.”
Who Does POPI Apply To?
The POPI Act applies to all natural (i.e. living people) and juristic persons (e.g. companies, closed corporations and trusts).
Why Do We Need a POPI Act?
In an age where data is the “new gold”, businesses are incentivised to capture and process as much of it as possible to create competitive advantage.
However, this is often to the detriment of consumers.
Allowing unrestricted data collection can lead to invasive advertising and problems like identity theft and fraud when it isn’t properly protected.
The act is fundamentally designed to protect consumers by regulating how and when businesses can capture and use their data.
Until the introduction of the POPI Act in South Africa, there was no regulation around how businesses could capture and use data.
Does The POPI Act Affect My Business?
The POPI Act’s main effect on business is changing how and when we can capture data for marketing purposes.
If you’re not engaged in any marketing activity that involves data capture, like lead generation or email lists, the POPI Act won’t affect your business.
It’s rare to see a business using this approach in this day and age,
However, if you are using any kind of marketing strategy involving data capture and direct marketing, it does affect your business.
You must make sure your business is POPI compliant because the penalties for breaching the act can be quite severe.
You must look at your entire marketing funnel.
If you hire a digital marketing agency, for example, and they’re found to be breaching the POPI Act you could still be liable if they were processing the data on your behalf.
What Are the Main Points of the POPI Act?
This summary is adapted from the POPIA Plain Language guide by Michalsons and the official POPIA website.
What is Personal Information?
The Act protects personal information and special personal information.
Personal information is any information used to identify a living person, like:
- Race and gender
- Contact details
- Financial details
- Medical history
- Employment and criminal history
- Education history
Special personal information is personal information that can be used to discriminate against somebody, and as such is treated differently. It includes:
- Race and ethnicity
- Criminal history
- Medical history
- Biometric information
- Trade union membership
When Can’t I use Personal Information?
You can’t use personal information without authorisation from the person it concerns.
You can get either:
- General authorisation to use any kind of special personal information.
- Specific authorisation to use one kind of special personal information.
What is Data Processing?
POPIA defines data processing as:
“…any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;”
The Act covers all forms of personal information both physical and digital.
I.e. it doesn’t matter if the data is in the form of contact details in a database or a piece of paper with their contact details written down.
In other words, the Act covers any handling of personal information in either a physical or digital format.
What is Lawful Data Processing Then?
Terminology:
Data Subject: the person the data is about.
Responsible Party: your business (the organisation deciding how and why to process the data).
Operator: the group that processes the information for the Responsible Party (e.g. your digital marketing agency).
There are 8 conditions of lawful data processing defined in the Act:
- The Responsible Party must take accountability to comply with the POPIA.
- The Responsible Party must have a good reason for processing Personal Information, such as consent from the Data Subject.
- The Data Subject must know why the Responsible Party is processing their Personal Information.
- The Responsible Party can only process Personal Information again if it’s for the same purpose they got consent from the Data Subject for.
- The Responsible Party is in charge of ensuring the Personal Information they process is correct and complete.
- The Responsible Party must be open with the Data Subject about how they are processing their Personal Information, in such a way that they know what is happening to their information.
- The Responsible Party is charged with the security and protection of Personal Information they collect and must implement reasonable security measures.
- The Responsible Party must communicate with the Data Subject about processing their Personal Information and allow them to correct or update their information.
What Are The Penalties For Not Complying to POPIA?
Generally speaking, the penalties will be charged on a case by case basis, and businesses will be required to pay compensation to Data Subjects for the damages they suffer due to your failure to comply with the POPI Act.
The legislation does also allow for the following penalties for serious offences:
- A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
When is the POPI Act Coming Into Effect?
The POPI Act is already in effect as of 1 July 2020.
Businesses have until 1 July 2021 to ensure their business is compliant before they will be penalised for not following the act.
How Do I Make My Business POPI Compliant?
Beyond auditing your business to make sure you don’t break any of the stipulations defined in the Act, Michalsons suggests taking the following practical steps to make your business POPIA compliant (that we’ve expanded upon):
- Appoint an Information Officer.
An information officer is a person in an organisation tasked with encouraging compliance with the conditions of lawful data processing.
The government suggests that every organisation who can afford to do so appoints an information officer.
Their responsibilities include:
- Encouraging compliance with data processing regulations in their organisation.
- Dealing with requests from data subjects made to the organisation.
- Working with the governmental regulators.
- Draft a Privacy Policy.
A Privacy Policy is a document explicitly stating how a website or business collects, handles and processes data.
All websites should have a privacy policy available to users as part of POPI compliance.
- Raise awareness amongst all employees.
Making sure your employees are aware of the new legislation is crucial.
In terms of the act, your organisation is liable for any damages their actions cause as a result of misusing consumer data.
It’s therefore in your best interest to get all your employees on board with protecting your customers’ data.
- Amend contracts with operators.
Similar to above, you as the Responsible Party are liable for any breaches in the POPI act that people, like your digital marketing agency, make on your behalf.
It’s in your best interest to amend your contracts with them to stipulate their adherence to the Act, so you’re not penalised for it later.
- Report data breaches to the regulator and data subjects.
If a data breach does happen, it’s in your best interest to report it immediately to the people affected and the government regulator.
Attempting to hide a breach may only bring greater legal trouble later, where if you get out in front of it you may be able to come to an agreement.
You can’t be prosecuted for breaches if you’ve taken reasonable precautions
- Check that you can lawfully transfer personal information to other countries.
Data protection laws vary by country, so this is an important consideration to have too since the South African laws are changing.
What’s legal here may not necessarily be legal in other countries or territories like Europe, so be sure to familiarise yourself with the laws of all the countries your business operates in.
- Only share personal information when you are lawfully able to.
Don’t share any data you collect with other companies unless you’re following the proper guidelines.
This can be just as bad as having a data breach that exposes your own customer data because you are indirectly responsible for whatever they do with your information.
Conclusion
We hope our POPI Act 2021 Summary helped clarify the requirements for your business to be POPI compliant and avoid any penalties.
If you need any further assistance, there are plenty of legal companies out there who will help transition your business into POPI compliance.
Just be sure to research the firm beforehand and find a reputable one that won’t overcharge you for it.
Overall, the POPI act is nothing to worry about for most businesses.
It just requires us to be more thoughtful with how we handle sensitive information about our customers.
This ultimately benefits everyone though, after all, wouldn’t you want your own data kept private?
Just make sure to adhere to the letter of the law and adjust your marketing strategy accordingly.
Found that useful?
Check out more articles on the inSyte Blog, designed to give you the tips, tricks and insights for you to take your e-commerce marketing to the next level
This article was brought to you by Syte.
We’re e-commerce digital marketing specialists obsessed with driving up your bottom line.
If you need any help with your e-commerce digital marketing strategy, feel free to reach out with the form below and we’ll see what we can do for you.