Almost 70% of local organisations believe the implementation of the Protection of Personal Information Act (POPIA) will have a direct impact on their go-to-market strategy.
This is one of the key findings of the Data Privacy Survey, conducted by ITWeb in partnership with consumer credit reporting agency TransUnion.
The survey set out to examine where South African organisations are with their POPIA implementation projects, and to what extent they expect the Act to affect their direct marketing strategies.
It revealed that organisations are struggling to strike the perfect balance between direct marketing and privacy.
While direct electronic marketing can be a powerful tool to increase growth within any organisation, it has to be premised on legal and ethical marketing principles. Direct marketing strategies must comply with the conditions set out in the POPI Act, which seeks to govern the processing, collection, recording and storage of personal information, once fully promulgated.
Jeannine Naude-Viljoen, general counsel for TransUnion Africa, says that under POPIA, consent plays an important role because it ensures that organisations do not process personal information without the customer’s consent.
“If your business is reliant on direct electronic marketing, this is imperative. You will not be able to utilise this channel without the required consent. That said, it does not prevent you from doing direct marketing through other channels such as contact centres and direct mailers,” she explains.
Section 69 of the POPI Act stipulates that a consumer must consent before direct electronic marketing can take place.
This applies, unless that consumer is an existing customer who gave their personal information to the supplier in the context of a sale for the purpose of direct marketing, and 'has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality'.
When asked what impact the issue of consent will have on their go-to-market strategy, nearly a third (30%) of respondents indicated that their strategy is 'POPIA proof'. Interestingly, 3% said their business won't exist when the new data privacy regulation is in full force.
Privacy management is not a once-off event; it needs to become part of your organisational DNA.
Jeannine Naude-Viljoen, TransUnion Africa
A combined 58% of respondents believe they are ready, to a great or very great extent, to deal with consent for direct electronic marketing under POPI; on the flip side, nearly 20% admit they haven't thought about it, or are not ready at all.
“The more diverse the data you collect and process as a business, the bigger your risk. The General Data Protection Regulation (GDPR) has significantly affected direct electronic marketing in the UK, and we have seen businesses either change their business models or redirect their channel strategies after its introduction,” Naude-Viljoen points out.
A total 55% of respondents reported that their organisation is midway with the implementation of their POPI project, with 31% having not yet started. Only 14% have completed their POPI project.
All public and private bodies will be expected to be compliant with the provisions of POPIA within one year of its commencement. The consequences of non-compliance could be a fine of between R1 million and R10 million, or one to 10 years in jail.
While there is no clear indication as to when POPIA will ultimately become effective, Naude-Viljoen warns that if organisations haven’t started yet, it’s probably already too late to play catch-up.
“Because the legislation is principle-based, it requires a business-specific review of each requirement, in line with how an organisation collects and processes data. There is no tick-box or one-size-fits-all solution. You need to do the work.”
Learning from others
In terms of taking part in an industry-wide solution aimed at dealing with direct electronic marketing consent-based concerns, over a third (36%) of respondents see a great deal of value in participation, while 28% haven't thought about it.
“Unless you’re a highly regulated business, such as a credit bureau, or you’re part of a global multinational company that has stringent privacy or GDPR obligations, chances are that you’ve never considered data privacy to this extent,” adds Naude-Viljoen.
“Although there is no one-size-fits-all solution for POPIA compliance, there is value in understanding best practice and learning from people and companies who have gotten it right. Privacy management is not a once-off event; it needs to become part of your organisational DNA. This means that you need to cultivate it and continuously enhance it.”
How can service providers gain trust?
The ability to show exceptional security and risk governance (66%) emerged as the most important trait a service provider would need to demonstrate in order for respondents to share with them their customers’ personal information. A legacy of successfully operating in a highly regulated environment (21%) was cited as the second most important trait; and a strong brand came in third, at 10%.
While all three traits are certainly important, Naude-Viljoen believes none of them are sufficient in isolation.
“It again comes back to inculcating privacy management into the DNA of your organisation. It is the golden thread that ties all of these together.
"Whereas your first question would previously have been: 'Will this product be profitable?' or 'What value can this data add to my business?', it should now be: 'Do my processes and policies allow me to legally collect and process this data?'
"Only once you’ve ticked that box can you start thinking about how you use the data,” she concludes.
About the survey
The 2019 Data Privacy Survey was run online on ITWeb for a period of two weeks in August.
A total of 185 people from cross-sector organisations participated in the survey. About 34% of them are in executive management positions, 40% are in middle management and the rest consist of IT employees and consultants.
Share