Using POPI to boost customer service

Most organisations remain concerned about the cost and effort of implementing the changes needed to become compliant with the POPI Act. Instead, they should see it as a customer service opportunity.

Johannesburg, 17 Feb 2020
Read time 4min 10sec
Herman Kriel, GM for Data Protection, CyberTech
Herman Kriel, GM for Data Protection, CyberTech

Much is often made of local businesses preparedness – or not, as the case may be – for the implementation of the Protection of Personal Information (POPI) Act. What is seldom considered, and yet something that should be at the top of mind for enterprises, is the impact such preparedness has on the customer experience (CX).

With all the stories in the news recently of security breaches where personal information was stolen or lost, customers today tend to place security front and centre. This, says Herman Kriel, GM for Data Protection at CyberTech, means a key part of a good CX strategy for any organisation must be how they are ensuring that client data entrusted to them is well-protected.

“While breaches do happen, sometimes regardless of what measures are taken, utilising data encryption technology means that even in such a case, the client can be reassured that the thieves will still not be able to utilise the stolen information. So the real question CIOs should be asking themselves is: have I really done everything I could to ensure my customers’ data has been properly secure, if I have not encrypted it?

“The trouble is that while rules like the Sarbanes-Oxley Act (SOX) and King speak of businesses being ‘responsible entities’, an enterprise is hardly acting responsibly if it is only implementing standard, antiquated security precautions like firewalls, anti-virus, IDS and SIEM solutions. However, many do exactly this, chiefly because advanced security such as hardware encryption technology not only costs more, it is also more difficult to quantify your return on investment (ROI).”

What most don’t understand, continues Kriel, is that the true ROI of an encryption system is found in your ability to use this as a selling point and a differentiator. It is the same principle as living in a suburb where every house has an alarm and an electric fence – if you want to discourage criminals from robbing your house, you will need to implement additional security to differentiate yourself as being more secure as other less secured homes (or competitors, in this case).

“At the same time, it is imperative that customers educate themselves and learn to pose the right questions to these organisations before entrusting them with their personal data. For example, instead of asking ‘Is my data protected?’ you should be asking ‘How is it protected?’ Moreover, if a client asks what is being done to protect their data and the business is not prepared to take the time to fully explain, then your next question should be ‘Why should I keep my business with you?’

“This is the heart of the matter – too many enterprises view the POPI Act as being about mere compliance, when the reality is that it is also a matter of principle and character. It should not only be about adhering to the terms of the Act; it should equally be about how the company ensures that the client’s personal information is protected in such a way that it will remain a customer.”

He adds that you could describe encryption security as a silent customer service – and in today’s world, customer service is how most organisations try to differentiate themselves. Obviously, it is important to apply the rules of the regulator, but complying with the POPI Act is not – or certainly should not be – just about the threat of jail. It should instead be about going above and beyond for your customer; it should be about the internal integrity of the business and therefore doing the right thing. Of course, sometimes, integrity has to be helped along, which is why it is also the customer’s responsibility to ask the tough questions of their service provider.

“Enterprises must be aware that when the POPI Act comes into force, they will need to be ready for it, which is why we encourage businesses to already be looking at how they secure consumer data, so that they will immediately be compliant. Therefore, I suggest such organisations actively champion the POPI Act and ensure compliance with this. Remember that you don’t need to be a company in the security space to champion new security measures.

“After all, if you think about things, it is far better for your business to find itself in the news because of the security measures you apply to protect personal data, rather than splashed across the front page as the company that failed its customers,” concludes Kriel.