Adopting a POPI mindset delivers sustainable business value
These are just some of the headings on the flood of e-mails hastily sent out by businesses around 1 July in a scramble to comply with the implementation of the POPI (Protection of Personal Information) Act.
As most of these e-mails simply asked their customers to agree to continue subscribing to their mailing list – as prescribed by the Act – it represented a missed opportunity by many not only to safeguard their customers’ valuable personal information, but also to boost their trust and loyalty.
That’s the view of Stephanie Do Canto e Castro, Operations Manager at Johannesburg-based SaaS e-mail provider SYNAQ, who says the e-mail exercise was a clear indication that many organisations regard POPI compliance as a “check box” exercise – doing the minimum in order to avoid the significant penalties that can result from non-compliance: Imprisonment of up to 10 years and/or a maximum fine of R10 million.
However, Do Canto e Castro believes that businesses should embrace POPI as a mechanism for change, specifically a change in their mindset regarding how personal information – especially when derived and stored in a digital format – is viewed, processed and managed.
“Compliance, in the spirit of POPI legislation, requires more than just a couple of cursory ticks in a check box. It is intended to act as an enabler for a new mindset that encourages people and businesses to manage personal information in a more secure and responsible way,” she says.
With the IDC forecasting that the global data sphere will reach 175 zettabytes by 2025, Do Canto e Castro says the requirement for this mindset change is more necessary than ever as organisations will be responsible – ethically and legally – for managing this explosion of data. This would require every person within a business to assimilate and adopt a more responsible and secure way of thinking when collecting, processing, storing and sharing personal information.
Do Canto e Castro maintains that organisations should not regard POPI compliance as a “grudge” expense just because the bottom-line benefits (apart from avoiding fines) or even the value of business data cannot be quantified.
Rather, she says, they should recognise that POPI compliance delivers more intangible benefits, including the fact that customers want to engage and transact with trusted, reliable and responsible providers.
In its 2020 Consumer Trust and Data Privacy Report, Privitar, a leading data privacy platform provider, found that although consumers still remain concerned about sharing personal data, the results highlight an opportunity for businesses to take a more responsible role by protecting their customers, resulting in increased brand loyalty.
“As this mindset translates into daily interactions and operations, it shifts the narrative for most businesses from just being a provider of services to also being a trusted and reliable partner who manages and safeguards valuable business information,” Do Canto e Castro says.
“The cost of POPI non-compliance and the resultant reputational damage this could cause is a risk that no business can afford to take, particularly in a country like South Africa that is still behind the curve in many ways when it comes to cyber security and data protection.”
So, what should a company that is not yet POPI compliant do?
According to Do Canto e Castro, the most important thing is to act immediately. Those who do not know where to start should ask for help from experts who specialise in this field.
However, businesses that have achieved compliance cannot just sit back and relax.
“It’s essential to keep up to date with any changes in legislation by becoming part of regulatory associations or engaging experts in the field,” she says, adding that businesses should also work at developing their POPI mindset by obtaining the buy-in from the organisation as a whole.
“Make the content relatable and easily accessible. Hold user education sessions, inspire debates and implement the guidelines in every aspect of the business’s operations,” she advises.
Do Canto e Castro emphasises that POPI legislation does not provide businesses with a “one-size-fits-all” solution.
“The purpose of the Act is to regulate how businesses store, process and use personal information. This means that the onus is on each business to adhere to these guidelines in the most comprehensive and sustainable way. This need not be too difficult – in fact, once you understand what has to be achieved, the answer often involves common sense measures that are relatively easy to implement without having too much of a detrimental impact on your business.
“The most important thing to bear in mind is that POPI makes business sense in a variety of ways. It is up to all of us to translate what could be an onerous business exercise into real business value,” she concludes.