The effective date of the South African Protection of Personal Information Act (POPI) has not yet been announced, but that doesn’t mean your organisation shouldn’t be preparing for it. Especially since the Act that was first signed into law by the President in 2013, is finally expected to come into force later this year.
Once the Act is enforced, organisations will likely have a one year grace period to comply. However, as with any new legislation, becoming fully compliant takes time, so there is no time like the present to get your affairs in order.
Many businesses have already started working towards POPI compliance or at least put plans in place to meet its requirements. But there is still a lot of work to be done.
A March 2018 survey by news organisation ITWeb found that only 23.3% of respondents believed their businesses to be 100% compliant. A further 34.4% believed they were about 75% compliant. While this is encouraging, around 40% of respondents said their companies were still 50% or less compliant.
Source: ITWeb Surveys
Furthermore, only 63.7% of respondents said their companies had a strategic plan in place to meet POPI requirements.
One of the business departments that will be most affected by POPI is marketing. This means that, as a fund marketer (or any marketing professional, really) you have to be fully clued up on what POPI entails and how it’ll affect your day-to-day job.
What does POPI cover?
As explained by KPMG: “POPI, the protection of personal information act, is a piece of legislation designed to protect any personal information which is processed by both private and public bodies (including government). Some exceptions exist, but every person who collects, stores and otherwise modifies or uses information (i.e. processes information) is responsible under POPI and must comply with the conditions required for the lawful processing of personal information.”
But what does this actually mean for your business and marketing? This infographic from SendFile explains it a bit further.
Is POPI the same as GDPR?
Looking at the information above and everything else written about POPI, you might find yourself asking if POPI is the same as the EU General Data Protection Regulation (GDPR), the compliance deadline of which was in May this year. And if your business is already GDPR compliant, does that mean you will automatically be POPI compliant as well?
Unfortunately, it’s not quite that easy. There are many similarities between the two laws, which means that if you are already GDPR compliant it will be easier for your business to become POPI compliant, but there are some key differences you need to be aware of.
For example, whereas GDPR only applies to the personal information of individuals, POPI extends to the information you hold on legal entities as well, which means you have to consider how you store and use the information of companies you do business with, as well as that of individual customers.
Another key difference is that POPI requires all organisations to have a data protection officer, whereas GDPR only requires certain types of organisations to appoint a such a person.
To make sure you’re fully POPI compliant (and avoid a potentially hefty fee) the best course of action would be to get hold of a POPI Act compliance checklist and make sure your organisation can tick all the boxes, even if you are already GDPR compliant.
From a marketing perspective though, the requirements are relatively similar, so you’ll likely not have to rejig your marketing methods much if you are already marketing in line with GDPR requirements.
How to make sure your marketing is POPI compliant
To make sure your organisation complies with POPI from a marketing point of view there are a few key things you have to pay attention to.
As with GDPR the keyword when it comes to marketing legally under POPI is ‘consent’. This means that you need people to opt-in to receiving your communication, and you’re only allowed to send them the type of information they have opted-in to receiving. For example, you cannot send your monthly newsletter to a client who indicated they only want to receive information directly related to their individual investment portfolio. In addition, your clients also need to be able to easily opt-out of communication.
What’s more, when asking people for their personal information you need to make it clear why you need this information, how it will be used and whether it will be passed on to third parties. You also shouldn’t ask for more information than you realistically need, and of course, all information needs to be stored and transferred securely.
While POPI puts some limitations on direct marketing (emails, cold calling and SMSes) there are many other ways in which you can market your products to prospects without worrying about violating the Act.
For example, social media marketing. As explained by Deloitte, if an individual engaged with you, or is following your company on social media, they already expect to hear from you, so communicating with them in this way is not unsolicited.
As long as you don’t use a customer support Twitter account to push sales messages, that is!
In essence though, POPI and GDPR support quality marketing (as opposed to spam) as you’re only able to market to people who showed interest in your products or services.
This could have significant benefits for your business. If you implement POPI correctly and only market to those you have opted-in to hearing from you, you’ll build trust with your prospects and they’ll be more likely to read your emails and take the content seriously.
So, while POPI might reduce the size of your email database, it is not meant to rob you of quality leads, in fact, it’ll do the opposite. And as long as you market your products in an ethical way, you can rest assured that you won’t be found in breach of the legislation from a marketing perspective.