Posts

POPIA Compliance

POPIA COMPLIANCE: WHEN THE INFORMATION REGULATOR COMES KNOCKING

It has been reported that the Information Regulator, Advocate Pansy Tlakula, tests call centre operators when she receives unsolicited calls by asking them where they got her number from and if they were aware that the calls they were making were illegal – scary right? Do you know what POPIA Compliance entails? Are you prepared for when the Information Regulator comes knocking?

Many organisations are taking the stance that while the Protection of Personal Information Act (POPIA) is not fully enacted, there is no need for compliance. POPIA compliance is essential as there are currently serious risks associated with non-compliance with the Act. One such consequence is reputational damage which may entail loss of revenue, clients and service providers and increased business costs.

Earlier this year MiWay Insurance came under fire when a recorded MiWay conversation with Zulu King Goodwill Zwelithini leaked to the public. The Zulu King laid a complaint and the Information Regulator issued a media statement on 12 February 2018 stating that “despite certain sections of POPIA not yet operative, the Regulator intended to proactively engage MiWay with regards to the processes and measures they have put in place to comply with the conditions for lawful processing of personal information as prescribed in POPIA”. During 2018 the Information Regulator similarly engaged with Facebook, Aggregated Payment System (Pty) Ltd and Liberty Holdings (Pty) Ltd after major data breaches involving ordinary South African’s personal information came to light.

Nothwithstanding the reputational damage these organisations may have incurred, once POPIA is fully enacted organisations face penalties of up to R10 million and/or imprisonment for a period not exceeding 10 years.

DIRECT MARKETING

A big concern for organisations is the effect POPIA will have on direct marketing. Under Section 69 of POPIA a potential customer (“prospect”) must consent before electronic direct marketing can take place. However, in order to obtain such consent a direct marketer may contact a prospect once only. If they withhold consent, the direct marketer may not contact them again. This applies unless that prospect is an existing customer who gave their personal information to the supplier in the context of a sale for the purpose of direct marketing and “has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality”.

Customers have the right to complain to the Information Regulator should they believe organisations are not complying with POPIA. To date more than two hundred complaints have been received. Organisations should bring their direct marketing practices in line with Section 69 as soon as possible to avoid investigations and legal sanctions. Moreover, POPIA empowers customers to institute legal proceeds against non-compliant organisations directly as an alternative to lodging complaints.

DATA BREACH

Earlier this year the Facebook data breach made headlines worldwide. It is reported that the personal information of 59 777 South African users was potentially shared with the data firm called Cambridge Analytica. To investigate the alleged breach the Information Regulator convened a meeting of various government institutions. These institutions included the South African Police Service, specifically the HAWKS, the National Prosecuting Authority (NPA), the Department of Rural Development, the National Credit Regulator and the Association of Credit Bureaus. The meeting agreed to establish a Task Team comprising of the representatives of the abovementioned institutions to ensure a multi-disciplinary approach to the investigation.

Contact SwiftTechLaw here to ensure that you are ready for when the Information Regulator comes knocking.