South African businesses must comply with the new privacy rules of the Protection of Personal Information Act (POPIA) by the start of July – or face jail time and fines.
The new rules should mean much less spam and robocalls because companies will need your permission to contact you.
There are less than 100 days to go before business owners must comply with South Africa’s strict new data privacy rules. Failure to do so could mean jail time or large fines.
The Protection of Personal Information Act (POPIA) of 2013 came into effect last year, but companies had one year – until 1 July 2021 – to comply.
“Failure to comply with certain provisions of POPIA may result in the Information Regulator (IR) imposing an administrative penalty of up to R10 million as of 1 July 2021 or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment,” the regulator said this week. The IR is a newly established office, created by the Act.
READ | South Africans receive on average 11 spam calls a month – and insurers are the worst offenders
“South Africans will now have the right to privacy afforded to them by the constitution,” says Ahmore Burger-Smidt of Werksmans Attorneys. “We now need to deal far more diligently with the information we collect. Companies can only collect what is necessary and have a legitimate reason to collect that information.”
“It’s like when the Consumer Protection Act (CPA) came into force,” says Francis Cronje, an information governance specialist and contributor to the POPI Act. “Before that, people understood they had certain rights, but it didn’t really affect their life. Now if I buy something and it’s not right, I have certain recourse under the CPA.”
The basic intention of POPIA, he says is “not to impede the free flow of information. It means that if you collect my personal information, you don’t lose it, and you treat it with respect”.
“Say I buy a watch and the shop asks for my name and surname,” says Cronje. “Now they’re not allowed to share that information with anyone else, or send me marketing without my consent. They can’t share it with people I’m not aware of, or that I haven’t authorised.”
POPIA means the end of spam and robocalls – under certain circumstances.
Come 1 July 2021, you’ll receive fewer spam voice messages on your phone (known as robocalls), and fewer spam SMSes. It doesn’t mean they’re going away, says Elizabeth de Stadler, co-founder of Novation Consulting and co-author of “A Guide to the Protection of Personal Information Act”.
“But it will be much harder to do, and you will have more control over when you get them.”
You won’t receive unsolicited robocalls and spam texts – and that “unsolicited” is a crucial distinction. Companies need to ask your permission to send you marketing material. If you’ve given that permission, they can contact you until you ask them to stop.
The buying and selling of information will be much, much harder. Companies have built up huge databases of contact details, including your phone number and email address, and these get bought and sold on the open market.
That’s not allowed anymore – a company is not allowed to pass on your details to another party. And if they do, you can lay a complaint with the Information Regulator, which has substantial powers.
“In countries with similar data privacy laws, a lot of these companies have gone bust,” says De Stadler. “If I were a data broker, I’d be very scared right now.”
Even if you sign up, you’ll be able to opt out for free.
Anyone who has received a spam SMS knows they can be annoying to get rid of. Sending a message back saying “Stop” or “No” costs money.
“Think of someone buying pay-as-you-go airtime, and they can only afford R10 airtime a week,” says Cronje. “Suddenly I’m being bombarded with spam SMSs. For me to unsubscribe costs me R1, and if I’m bombarded with five or six at a time, there goes my airtime for the week.”
Under the new act, you must be allowed to opt out for free.
It doesn’t mean the end of telemarketing – because that is not electronic, apparently.
So companies can’t send you unsolicited SMSs or robocalls, but they can still cold call you. That’s because, according to the new laws, telephone calls don’t fall under electronic communication, says De Stadler. However, voicemails are covered. So robocalls get blocked, but an actual human phoning you up to sell you something is still allowed. If you want them to stop contacting you, you can formally ask them to stop, which they have to do under the CPA.
The way stores use your information for rewards cards and store cards will need to change.
According to Cronje, retailers will need to start thinking differently about how they use your information. Say you had a credit card several years ago, and got rid of it, but still receive marketing information. From July, that won’t be allowed anymore. Or what about that clothing store card you signed up for five years ago but never used? Retailers will need to take steps to destroy your information after a set period.
It’s not just electronic documents – it means hard copies too.
Say you own a guest house. It’s reasonable to make copies of travellers’ identity documents or passports because you need that information legitimately. However, you can’t just put it in a drawer and forget about it.
You need to make sure that information is kept safely, and disposed of safely. You’ll need to take reasonable steps to make sure you don’t get hacked and, if you do, you’ll need to tell your guests as soon as possible. It doesn’t just apply to electronic copies, says Cronje. It applies to hard copies as well. So invest in a shredder.
Corporates will stop asking employees and job seekers for so much information.
“The reality is companies will have to cut back on the extent that they process information, privacy rules ” says Burger-Smidt. If you joined a company recently, or you’ve been looking for a job, then the amount of personal information you need to hand over can seem quite intrusive. Under POPIA you can push back and question why the company needs your information, and they need to supply a good reason for wanting it.
According to De Stadler, roughly 60% of data that companies are asking for is out of habit.
“Organisations are very reckless when it comes to personal info,” says Cronje. “Now they will need to ask permission to retain your CV, or they’ll need to destroy it. And what happens if you leave the organisation? They’ll need to have a policy in place to get rid of your information.”
It’s not just big corporates who will be affected – every business will need to comply.
If you own a business, you have less than three months to comply.
“There are certain things you need to put in place,” says Burger-Smidt. “You need to have an Information privacy rules Policy, you need to make sure your employees know about POPIA, and you need to appoint an information officer.”
That need not be a new employee. You can appoint yourself information officer, but it means you’ll be responsible for ensuring the business processes data correctly, and has a plan for when to get rid of it. You also need to have a plan in place in case you’re hacked and someone steals that data.
If you have a business, you’ll need to update your website
Every business that has a website will now need to include a privacy rules notice indicating what you do with customer information, how you process it, and how long you keep it for, says De Stadler.