Will the Protection of Personal Information Act (POPIA) impact your business?
After the intense spotlight on the Protection of Personal Information Act (POPIA) when it was partially enacted in November 2013, media attention seems to have dimmed. Many may be left wondering if this legislation will have a significant impact on their business and whether they should be actively preparing for it, or adopting a 'wait and see' position. Claire Watson interviewed Alison Treadaway, Managing Director at customer communication management specialist Striata, on the basics of this much-anticipated legislation, and how it will affect businesses as well as the communications industry in South Africa.
CW: What businesses will be affected by this Act?
AT: Every business in every industry needs some level of customer or stakeholder information. Personal information is crucial for communication success in the digital age, so I can't think of any organisation that won't be affected by this Act.
In the broadest sense, if you gather, receive, hold, use or share information about a consumer or business customer, then you are an affected party. This includes organisations that participate in a value chain that consumes data; such as outsourced service providers in marketing, communications and CRM to name a few. Basically, any business that touches customer information will have to comply with this Act.
CW: What are the timelines? How long do businesses have to prepare for this Act?
AT: Only certain sections of the Act were ratified last year, namely the definition of key concepts, such as "Data Subject" and "Responsible Party," and the sections that allow for the establishment of the necessary authorities. The rest of the Act could be signed into law at any point and affected parties will be given one year to comply. So, the clock isn't ticking yet, but for many businesses, waiting until the grace period begins will be too late to make the necessary IT, process and contractual changes to ensure compliance within the timeframe.
CW: Who is considered to be a "Responsible Party"?
AT: The Act defines this as "a person or body which determines the purpose of and means for processing personal information." This means that if your business holds someone's personal information for the purposes of carrying out your services or sales campaigns, then you're a "Responsible Party." If this broad description applies, then you need to start understanding your current status with regards to the Act by doing an exercise like a gap analysis. Then define what it is you need in order to move towards compliance.
This includes relationships with suppliers who use your customer data to execute their services and contractual obligations. As the responsible party, you have to make sure that your suppliers are also compliant, as the liability with regards to protected information rests with the responsible party.
CW: What is considered 'protected information'?
AT: The Act refers to "Personal Information" and defines it as "any information or combination of information that can be used to identify an individual or juristic person": such as ID number or company registration number, email address, name and physical address. To clarify, a first name on its own wouldn't be protected information, but a first name alongside an email address would be. This is because it's likely that the individual could be easily identified using those two pieces of data together.
CW: Why is this Act good for consumers?
AT: The Act gives consumers more control over who is allowed to gather, store and use their personal information. It also provides recourse if they feel their personal data is being abused.
The person or company who is recognizable in the data is referred to as a "Data Subject" in the Act. They are given a number of additional rights (building on the Consumer Protection Act) around how their personal data is used. Any business that processes, stores or shares your information is now answerable to you, the consumer!
CW: Why is this Act good for South African businesses?
AT: While some may only see the additional burden of obligation, the Act brings our data protection laws in line with other geographies. This makes South Africa a more appealing and less risky business target. Yes, it imposes certain restrictions and safeguards around how an organisation can use someone's information, but it also promotes both accountability and transparency in data use.
Personally, I see this Act motivating good practice and achieving the required level of data protection, which will open up opportunities for South African businesses.
CW: How does this Act affect a service provider like Striata?
AT: The Act provides for the concept of an "Operator" which is a third party permitted to process data information on behalf of another party. The requirements for data protection in the service provider relationship are made clear in the Act and all communications providers like Striata will need to comply. Fortunately Striata conducts business in geographies that have equivalent data protection laws, such as the UK and USA, so we've already adopted and are compliant with most of the practices that this Act seeks to enforce.
CW: What is your plan going forward with regards to the Act?
AT: As with any new legislation, all affected parties will interpret and implement the requirements in a specific way and work towards their defined standards. Then everyone waits with bated breath for the first practical application of the legislation which really only happens when it gets tested in court. At Striata, we are already working on closing any gaps regarding the local interpretation of the legislation (which was modelled on the UK data protection laws).
Because we are both a Responsible Party and an Operator, our plan has to involve multiple work-streams to ensure our own internal compliance. We will also actively engage with our current and new customers to assess their requirements and to achieve 100% compliance of our integrated messaging solutions.
To explain the concepts mentioned in the act, we have used part wording from the Act and part our own descriptions and explanations. For a direct excerpt, please refer to the Act itself