Subscribe

Privacy law to cost billions

Nicola Mawson
By Nicola Mawson, Contributor.
Johannesburg, 08 Oct 2012
Cleaning up databases to comply with the pending Protection of Personal Information Bill will cost companies billions.
Cleaning up databases to comply with the pending Protection of Personal Information Bill will cost companies billions.

Implementing the Protection of Personal Information (PPI) Bill's requirements around data will cost local companies large amounts of money, if they have not already sorted out their databases to make sure the information is accurate.

The Bill, which is expected to come into law towards the end of this year, or early next year, will be the first consolidated piece of privacy legislation in the country. It dictates how and what personal information can be used, and how it must be stored securely, and forces companies to tell people if their information has been breached.

Nicola Mawson Companies will have to clean up their databases, an exercise that is expected to cost companies billions as each organisation will have to check every bit of information they have stored for each person on their database.

In addition, companies could be asked by a customer to provide them with all the information they have on that customer. Firms can also only keep information for as long as they need to have it, and the type of data stored needs to be specific to the transaction.

The Bill also seeks to regulate direct marketing and unsolicited communications, and should cut down on spam, as it specifically speaks to electronic communications. SMS and e-mail account for the bulk of spam.

However, few local companies are prepared for the new law, and once it comes into effect, corporate SA will only have a year in which to implement its stringent requirements, or face a fine of as much as R10 million for serious breaches.

Far-reaching data

Simone Gill, director in the technology, media and telecommunications practice at Cliffe Dekker Hofmeyr, has said the Bill will impose a number of "stringent obligations" on all companies that process personal information in any manner.

Processing of information, defined under the Bill, includes collection, receipt, recording, organisation, collation, storage, updating, alteration or modification, retrieval, consultation, use, dissemination, distribution, merging, link, erasure or destruction of personal information, explained Gill.

Gill said anyone who processes personal information must take appropriate measures to ensure the integrity and confidentiality of personal information is maintained. This includes taking "appropriate, reasonable, technical and organisational measures" to prevent loss or unauthorised destruction of, damage to and unlawful processing of personal information.

Nick Altini, director and national head of the competition and regulatory practice at Cliffe Dekker Hofmeyr, adds that it will be illegal for a direct marketer to engage in direct electronic marketing unless the consumer has given prior consent.

However, an existing customer can receive communications, notes Altini. "In this case, the term 'existing customer' is defined and the Bill makes it clear that one can market directly to an existing customer if the contact details of that customer have been obtained in the context of a sale of a product or service for the purpose of marketing similar products or services.

"Customers must be given a reasonable opportunity to object, free of charge, to use of their electronic details at the time when the information was collected and afterwards, in each and every electronic communication sent to the data subject for the purposes of marketing," Altini explains.

Hefty price

Direct Marketing Association of SA (DMASA) COO Alastair Tempest says cleaning up databases is a cost that could run into billions for companies in SA. He adds that this is a process that should have been done already, and will ensure that fly-by-night marketers and contact list sellers disappear.

The PPI is a strict law that will require companies to clean up their databases, which will make campaigns and marketing more effective, says Tempest. He adds that it is difficult to estimate the exact cost because of the widespread nature of data. "Data is so all encompassing today ... everyone has data."

Shay van der Poll, business development manager at Computer Facilities, says the new law provides an opportunity for companies to clean up their databases. However, the once-off clean up comes with a cost. Computer Facilities runs the DMASA's opt-out registry.

Once a database has been cleaned up, the only ongoing cost will be to maintain it, Van der Poll adds. He estimates that it will cost between R1 and R2.25 for every person on the register, across the population, for every company that deals with clients.

There are around 3.5 million companies in SA, and - according to Statistics SA - around 35 million citizens above the age of 19 out of a total population of 50.6 million, based on its latest figures.

Van der Poll says very few companies have good databases and many are not willing to clean up information and turn data into real information.

Spray and pray

Tempest says the Bill has caused quite a stir in the direct marketing industry, but it will not mean a collapse of the sector. Tempest estimates the size of the industry is around 3% of SA's total economy, with 500 000 contract and permanent staff.

SA had a system that was unregulated until the advent of the Consumer Protection Act (CPA), says Tempest. The CPA stipulates rules for direct marketing as well as acceptable contact times.

Currently, many marketers adopt a "scatter-gun" approach to sending out SMS and e-mail marketing, notes Tempest. He says this was also the situation in Europe, until it enacted legislation, which led to more segmented and targeted marketing.

SA's personal privacy law is based on the European legislation. Tempest says the DMASA's code of conduct is close to mirroring PPI and is currently being updated.

Serious consequences

Tempest explains that the pending law provides for strict penalties for those who breach it. He says the regulator, which will comprise a five-member panel, will have the power to fine companies as well, which can be as much as R10 million for each offence.

As a result, a company that breaches the pending Act by sending spam to 500 people would, for example, face a fine of R10 million, times 500. People who deal in financial data and breach the law face up to 10 years behind bars, he notes.

One marketing campaign that is in breach of the new law can kill a company, says Tempest. He adds this could lead to job losses at companies that do not follow the legislation's requirements if the regulator is prepared to enforce the Act when it comes into being.

Share