Are you ready for POPI?
It has become clear in recent years that the proper treatment of their personal information matters to consumers, but why should it matter to the businesses who are using the information? Put differently, how can a business justify spending money on and committing resources to becoming POPI compliant? Because POPI compliance and the risk of not treating personal information with care is about much more than legal compliance.
The Protection of Personal Information Act was signed into law in 2013. It is not in force yet, but will be as soon as an Information Regulator is appointed and the effective date is announced. Businesses will then have 1 year to become compliant. POPI makes it illegal to collect, use or store the personal information of consumers and businesses unless it is done in accordance with the rules prescribed in the Act. These rules will impact how information is collected, what it can be used for, how to maintain the quality and security of the information and how and for how long the information can be kept.
It has become clear in recent years that the proper treatment of their personal information matters to consumers, but why should it matter to the businesses who are using the information? Put differently, how can a business justify spending money on and committing resources to becoming POPI compliant? Because POPI compliance and the risk of not treating personal information with care is about much more than legal compliance.
Personal information and trust are assets
For most businesses, personal information is an asset. Whether it is central to its services or only used for marketing, there is value to having personal information which is of a good quality (which is one of the conditions of lawful processing) and is kept secure (another condition of lawful processing). The loss of or damage to this asset results (often directly) in loss of profit.
Becoming POPI compliant will increase transparency which in turn will inspire trust in the business. When it comes to sharing personal information, customers are often swayed by whether they can trust a business or not. Viewed in this way, POPI compliance becomes something which is marketable and may lead to increased business.
Lawful processing is a prerequisite for entry into the ‘information economy’
Non-compliance with legislation like POPI has increasingly restricted companies’ ability to transact with other companies in the ‘information economy’. As is the case with POPI, it is the norm internationally that personal information cannot be exchanged with companies who do not comply with the conditions of lawful processing. Where a business’ customers are also companies, POPI will force them to demand that the business is POPI compliant before sharing any personal information.
Protection of reputation
Privacy has become increasingly important to consumers as the internet started playing a central role in their lives and this has influenced how they interact and transact with companies. Privacy breaches result in losses in profit, but also affects consumers’ trust in the company. When consumers do not trust a company, they are not likely to give them their personal information.
Compliance leads to savings
POPI compliance can lead to a reduction in operational costs. Investigations into the lawfulness of processing often uncovers inefficient processing activities which can be adressed to be more cost-effective.
Legal compliance
Achieving legal compliance brings with it a reduction in the risks of restrictions on processing activities, fines and lawsuits. POPI will establish a new Information Regulator who will have wide ranging powers to prohibit the processing of personal information which it deems unlawful. It can also impose administrative fines of up to R10 million. Last but not least, data subjects will be able to bring claims for damages against offending businesses and POPI provides that the Information Regulator can bring these claims on their behalf.
Training and awareness is a large component of any POPI compliance campaign. Or, in the absence of a campaign, it is a good start. Why? Training raises awareness, exposes risk and changes behaviour. More so than with many other pieces of legislation, the risks created by POPI can often be cured through small adjustments in behaviour rather than wholesale changes to a business’ structure or services.
Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Long Street in Cape Town (http://www.esselaar.co.za). The firm specialises in consumer law. She is also a founding director of Novation Consulting (www.novcon.co.za or @NovConSA), a company which specialises in providing regulatory compliance solutions and designing innovative and effective ways to communicate ‘legal’ documents to consumers. Her book, Consumer Law Unlocked (Siber Ink), was published recently. She is the author of a consumer law textbook and a guide to plain language legal drafting, both of which are to be published by Juta Law. She is also the co-author of chapters on the Consumer Protection Act in The Law of Contract in South Africa and The Law of Commerce in South Africa (Oxford University Press).
Look Elizabeth up on our website as one of our subject matter experts.