The Protection of Personal Information (PoPI) Act, signed into law in 2013, aims to protect personal information, falling into the broader Constitutional right to privacy. It enables businesses to regulate how information is organised, stored, secured and discarded. As a crucial component of businesses, the PoPI Act should be implemented to keep information safe.
The South African PoPI Act has been carefully considered over the last decade to ensure that, when the Act is fully implemented, it reflects best international practice standards. Although it is not absolutely compulsory for companies to follow the PoPI Act, it is definitely beneficial for the privacy of their sensitive information.
Here are a few tips to help your business become PoPI compliant:
Assess Your Business’s Current Situation
Assess your business's current level of compliance as well as the steps you need to take to comply with the PoPI Act, keeping in mind the potential growth and changes your company may undergo in the future. To protect the integrity and confidentiality of your personal information, PoPI steers you into taking responsible technological and organisational measures.
Partner up with Professionals
Complying with the PoPI Act can be a daunting for any business, especially if an in-house specialist is not appointed to ease the process. For this reason, we recommend hiring legal professionals to assist your business or organisation in setting up an Information Security Management System (ISMS) to help you comply with PoPI.
Management teams must know where information is stored, whether electronically or on paper, and set efficient protocols in place to ensure the destruction of information that is no longer relevant to increase information security.
Don’t only take Electronically Stored Information into Account
Physical documents must not be neglected when it comes to destroying information. Make sure that all documents are shredded in a secure location by a service provider that complies with international security guidelines. Shredding is the most effective data destruction method for physical documentation as it is impossible for the documents to be reconstituted once destroyed.
Beware of Common Threats
According to 2014 Metrofile Information and Records Management Trends Index, out of 200 management executives surveyed, 19% of them have either experienced identity theft or know someone who has been subjected to white collar crime. Organisations could be held liable for identity theft or financial loss experienced by a third party as well as any issues with spam emails, text messages or direct marketing calls should a database of clients’ information be stolen.
The PoPI Act & Digital Marketing
The PoPI Act deems it unlawful for a direct marketer to market directly to a person unless they:
- have give prior consent
- are an existing customer
For this reason, direct marketers must always offer an opt-out option on all bulk SMS's and Emails.