Yes, the POPI (Protection of Personal Information) Act is lurking around the corner and companies are scurrying around to be ready and compliant for when the effective date starts, which is estimated to be May 2018. The industries that will be affected the most is IT and HR, but there is another industry that will be affected on a great scale: marketing.
Global Media Partner attended the POPI Conference on the 29th of August at the Hilton in Sandton. What an insightful conference this has been.
Every business unit in a company that deals with employees’ or clients’ personal information will be affected by the POPI Act. The POPI Act is almost the same as the GDPR (General Data Protection Regulation) but is more suited to the South African context.
Here is a piece out of White Paper written by one of our clients, Crest Advisory Africa, who specialises in helping companies implement and comply with the POPI Act. They have written about how the POPI Act affects each business unit and industry. Here is an excerpt about the implication of the POPI Act on Marketing:
Section 69 of POPIA has a direct impact on marketing. Marketing is the collector of leads, thus email addresses, business cards, contact details, positions in organisations, whereby a Data Subject could be identified.
Most organisations have a number of marketers in the field and the Responsible Party will be held liable (vicariously) for any POPIA transgression.
This section stipulates the following:
(1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSes or e-mail is prohibited unless the data subject:
(a) has given his, her or its consent to the processing; or
(b) is, subject to subsection (3), a customer of the responsible party.
(2) (a) A responsible party may approach a data subject:
(i) whose consent is required in terms of subsection (1)(a); and
(ii) who has not previously withheld such consent, only once in order to request the consent of that data subject.
(b) The data subject’s consent must be requested in the prescribed manner and form.
(3) A responsible party may only process the personal information of a data subject, who is a customer of the responsible party in terms of subsection (1)(b):
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
(b) for the purpose of direct marketing of the responsible party’s own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of
charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details:
(i) at the time when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain:
(a) Details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) An address or other contact details to which the recipient may send a request that such communications cease.
(5) ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
Direct Marketing is very general in South Africa, with:
- SMSes sent from food chains, insurance companies, banks (automated approval).
- Emails sent from various industries
- Automated telephone calls from insurers, etc. to enhance their marketing strategy.
The collection of these contacts for Direct Marketing is most of the time sourced from Third Parties, who are obtaining the information from their customer and client services environment.
To understand this, one needs to understand and take cognisance of the definition and meaning of Direct Marketing: Direct marketing means to approach a data subject, either in person, in mail, or electronic communication, for the direct or indirect purpose of:
(a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
(b) requesting the data subject to make a donation of any kind for any reason.
If you want to be POPI Compliant, you need to ask clients permission to send them email marketing. This can be done through the CRM system, which you are using. You can have sign-up forms on Social Media, most CRM’s offer this functionality. These forms can also be sent on email. Using a double authentication will be all the better, to make sure you are covered.
With regards to obtaining information for marketing, you only need the information from the client, which is absolutely necessary. Knowing what they eat for breakfast and how they eat; is unnecessary, unless that is your target or part of your marketing campaign. If they are not a client anymore; remove their personal information from your records. Cut your losses rather than having to explain to your boss, why there is a fine of millions of Rands on their desk because you didn’t respect people’s privacy and their personal information. Rather be safe than sorry.
Click here to read the original POPI White Paper and the effect it has on all business units.
Be smart and comply with the POPI Act. If you have no idea where to start, Global Media Partner and Crest Advisory Africa will happily help you to be POPI Compliant.