What’s happening since POPI came into effect
The main requirements of the Protection of Personal Information (POPI) Act became law on 1 July this year.
FAnews spoke to Karl Blom, Senior Associate at Webber Wentzel, about how the industry has adapted so far, and the trends or issues that have been picked up since POPI came into effect.
The POPI compliance journey
“In our experience, South African companies are at various stages of compliance with POPI. Many companies have taken initial steps to comply with POPI, including interrogating their marketing practices, updating their policies and ensuring that they have the requisite privacy notices in place on their websites,” said Blom.
“In addition, companies have begun interrogating their agreements to ensure that they reflect the requirements of POPI. That said, we have encountered a large number of companies that are still very early in their POPI compliance journey, and we anticipate that a significant number of companies are still in the process of assessing the impact of POPI on their business,” continued Blom.
Trends since POPI came into effect
According to Blom, there seems to be ongoing uncertainty as to POPI's requirements concerning direct marketing.
“In many instances, we have noted inconsistent approaches in how companies are advertising to their existing customers for the same or similar services, when compared to new customers. There are different requirements in POPI for electronic advertising to these different categories of customer, but this distinction appears to have been lost by a number of companies,” said Blom.
A second noteworthy development, according to Blom, concerns the issue of consent under POPI.
“POPI refers to consent that is a “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. We have seen many communiques sent to consumers that note that the consumer is "deemed" to have given their consent to the processing of their personal information. In this regard, we suggest that companies carefully interrogate whether consent has in fact been obtained from the relevant consumer in these circumstances. One should also note that consent is not always required to process personal information under POPI – there are several "lawful bases" for processing personal information, including where it is necessary to perform an obligation imposed by law or to perform under a contract with the relevant data subject. Companies, including insurers, should assess whether one of these lawful bases are a more appropriate justification for processing personal information as opposed to "deemed consent",” emphasised Blom.
Financial services… the safety of information
“The security of information goes beyond keeping information confidential – the loss of, damage to, or unauthorised destruction of personal information must also be prevented under POPI. Given the ever-increasing value of (and reliance on) information to the modern economy, companies should be protecting this information not only to comply with POPI, but also to protect a strategic business asset and to safeguard the interests of their customers. Insurers and other companies must take proactive steps to identify reasonably foreseeable risks to personal information in their possession or under their control (whether these risks are internal or external). Thereafter, one must establish and maintain safeguards to prevent these risks occurring. These safeguards should be regularly verified and, if a deficiency is identified, steps should be taken to remedy it,” added Blom.
“POPI does not prescribe the exact security safeguards to be taken. Insurers and other companies must take reasonable technical and organisational steps to protect personal information, which should be aligned with generally accepted information security practices, as well as any specific industry or professional rules or regulations. For example, if a company is a regulated entity (such as a financial services provider), it must ensure that it follows the requirements of any regulators with jurisdiction over it which pertain to the safeguarding of personal information,” continued Blom.
Expectations, future scenarios and planning
“We advise our clients to focus on the "easy wins". POPI compliance requires a significant investment of time and expertise. For that reason, especially where companies are at an early stage of their POPI compliance programmes, we suggest that companies identify those steps that require the least amount of effort to address the largest areas of non-compliance,” said Blom.
“POPI compliance is an ongoing process and requires companies to continuously reassess the measures that they have implemented to comply with POPI. For that reason, companies should ensure this matter receives continuous attention and that dedicated sufficient and appropriate resources are appointed to focus on POPI compliance. We anticipate that the Information Regulator will continue to issue guidance notes, which will provide us with greater clarity on the Information Regulator's interpretation of key provisions in POPI,” concluded Blom.
Writer’s Thoughts
If unsure, the best way to reach the required level of compliance is to partner with someone who has extensive experience and understanding of the POPI Act. Financial service provides who have significant personal client data need to make sure they comply with the regulations. How far are you in your POPI journey? If you have any questions please comment below, interact with us on Twitter at @fanews_online or email me - myra@fanews.co.za
