So, what’s the story with POPI?

With the majority of the Protection of Personal Information Act of 2013 (“POPI”), South Africa’s equivalent of the EU’s GDPR, coming into effect next month, businesses will now have one year to comply with the regulations, meaning the deadline for compliance is the 1st of July 2021. POPI sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (which includes both natural and juristic persons).

In terms of the POPI Act, personal information is data that can be used to identify a person, defined as “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.”

This essentially means companies need to ask your permission to send you, or your company, marketing material. If you’ve given that permission, they can contact you until you ask them to stop or ‘opt-out’.

The buying and selling of such information are also prohibited. Certain companies have built up massive databases of contact details, including phone numbers and email addresses, and these get bought and sold on the open market. This is also no longer allowed (and is pretty unethical anyway). 

What counts as personal information?

Below is a list of personal information which is important to  direct marketing, which includes, but is not limited to:

• Gender
• Age
• Religion / beliefs / culture
• Language
• Email address
• Physical address
• Telephone number
• Location
• Personal opinions, views or preferences

This means that some of the most commonly utilised data elements in direct marketing are going to fall under the provisions of POPI which means that you, as a marketer, need to pay careful attention to the processing of this data.

Do I have permission to contact consumers already on my mailing lists, post-POPI?

In short, yes. If a marketer already has permission, it is fine to keep sending. No need to panic and ask all your current database subscribers to re-subscribe.

If marketers collect information and inform consumers that they are going to use such information to send promotional content, and then give clients the opportunity to unsubscribe in that communication, that will also be fine in terms of POPI.

If a marketer has, hypothetically, been emailing a client for 10 years (or a reasonable period of time) and the client hasn’t objected thereto, then a concept called “soft opt-in” governs this scenario.

If that same client lodges a POPI complaint after POPI comes into effect, this “soft opt-in” concept governs people attempting to take a chance with marketers post-POPI.

Though the “soft opt-in” principle isn’t codified law, it’s the responsibility of the data collector/marketer to ensure management of their database in a sound, ethical manner to prevent abuse of this concept.

An important point here is that a person can only be approached once to get consent. If consent is refused, it is refused ad infinitum. Another important point to take note of is that marketers must always be able to tell a data subject where they got their information from.

The Important Part: Chapter 8 of POPI

As a direct marketer, the chapter of POPI that governs direct marketing by means of unsolicited electronic communications is chapter 8. The highlighted bits below point us to the main provisions (and we’ve broken this down into simpler English for easier reading):

• The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the data subject:

(a) has given their consent to the processing; or

(b) is a customer of the responsible party.

• A person or company may only process the personal information of a data subject who is a customer of the person or company:

(a) if the person or company has obtained the contact details of the data subject in the context of the sale of a product or service;

(b) for the purpose of direct marketing of the person or company’s own similar products or services; and

(c) if the data subject has been given a reasonable opportunity to object, free of charge or hassle, to the use of their electronic details -

(i) at the time when the information was collected; and

(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.

• Any communication for the purpose of direct marketing must contain:

(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and

 (b) an address or other contact details to which the recipient may send a request that such communications stop.

What does this mean for your company?

It’s not just big corporates who will be affected – every business will need to comply by July next year.

Businesses will need to have an Information Policy and need to make sure employees know about POPI, along with appointing an information officer.

That does not need to be a new employee. You can appoint yourself as an information officer, but it means you’ll be responsible for ensuring the business processes data correctly, in compliance with POPI and has a plan for when to dispose of data. You also need to have a plan in place in case you’re hacked, and someone steals that data.

If you have a business, you’ll also need to update your website.

Every business that has a website will now also need to include a privacy notice indicating, inter alia, what you do with customer information, how you process it, and how long you keep it for.

General Good-Practice Checklist

Here are some checks and balances to make sure you as a marketer comply with the provisions of POPI:

• Did you receive a subscriber’s details in the process of selling a product or service?
• Did you display your logo or company name in the body of the email? Did you also display your sender name to identify yourself?
• Is your communication to customers related to your products or services?
• Can your customer opt-out at the time the information is collected, and each time communication is sent?
• Does your content only relate to your own or similar products or services?
• Have you provided an address or a link to which the customer can send a request to opt-out?

The risks of non-compliance with POPI can include reputational damage, hefty fines and/or imprisonment, as well as paying out damages claims to data subjects, not to mention lengthy court battles and attorney fees if the claim ends up in court. Though you may have chosen a reputable bulk email sending platform to use for your email marketing needs, the onus is still on you to ensure you use the data in a compliant way. Here are some ways our team at TouchBasePro can also help:

• We can assist in ensuring your business address and contact details are included, usually, in the footer of the emails you send from the platform, as well as opt-ins and opt-outs (unsubscribes) being handled automatically and hassle-free.
• Data is stored securely, and you can control who in your organisation has access (we do the same on our side). This is one of the parts where the onus is on you to ensure compliance and is where most data breaches occur, so having some form of internal guideline or process is key.
• Depending on how you use our systems, it may assist you in informing and keeping track of how you got the person’s information. Sign-up forms handle this automatically or, if you are importing a list, naming your mailing lists appropriately helps mitigate accidental transfers of data across lists.
• We can also help with basic email validation. For instance, broken email addresses are identified and excluded by the system from email sends. We can take this further with our dedicated email verification services which scores, checks and validates the likelihood of an email being delivered or having a high sending quality, prior to sending.

If you would like to chat to our team to help you or your company get ready for POPI and the compliance deadline, you can drop us a mail at [email protected] and our team will be glad to help, alternately send me a DM and I'd be glad to assist. You can visit our site here for more information: www.touchbasepro.com