Why you should get proactive about privacy protection
The Protection of Personal Information Act (POPI), due to become law early this year, introduces legal protection in SA for the first time against the serious risks and harm arising from the unauthorised collection and abuse of personal information.
POPI has been criticised for being yet another piece of regulation driving up the cost of doing business in SA at a time when we can ill-afford it. It will also have a significant impact on the direct marketing industry.
But the new law is generally welcomed and will go a long way to further promoting the digital economy in SA. In line with similar laws internationally, POPI sets out a number of minimum requirements for the lawful collection and processing of personal information for marketing and other business purposes.
Defaulters will be subject to substantial penalties and sanctions, including civil and criminal action and negative media publicity. Unlike most other laws where people can enforce their rights only through expensive litigation, POPI creates an enforcement system that is free and accessible to the public. Lawyers and high legal fees will no longer be a deterrent for disgruntled customers and members of the public whose privacy is abused.
Five good reasons to start now
But aside from the obvious benefits of avoiding legal sanctions or bad PR, taking a proactive approach to privacy protection also provides a number of other benefits. For marketers, here are five good reasons to get started:
1. Build higher levels of trust and better relationships with customers and prospects when you collect their personal information by reassuring them that you take privacy seriously and that their information will be taken care of while under your custody.
2. Encourage customers and prospects to share more valuable information with you by being transparent about the way you collect and deal with their information.
3. Improve opt-in rates for your marketing messages and materials by not abusing contact information, time or attention.
4. Drastically reduce the costs of dealing with access requests, complaints and disputes around the personal information you use.
5. Use compliance with POPI as an opportunity to create more effective, better-run systems and processes within your organisation for managing all your information assets. This will result in improved decision making, less risk and a greater chance of realising your marketing and other business goals that depend on quality information.
Where to start
Respecting privacy and showing that you take care of the personal information you hold does not need to be a complicated and expensive exercise. Start by auditing your information and record-keeping systems (both digital and paper-based) to identify where and what personal information you have, and on whom. Common examples include customer or prospect names, identity numbers, bank account details, debit or credit card numbers and purchase history.
Identify the reasons why you hold that information and whether it is still serving its purpose. Check whether you have consent from the data subjects, or whether you should be contacting people on your database again to get their opt-in or to update their information. Gives you a good excuse to make contact and show that you are taking their privacy seriously!
Assess the current physical and technology safeguards you have in place and whether they are adequate to secure the personal information you hold. Pay attention to high risk information, such as unencrypted digital data found on laptops, tablets, smartphones, and other portable storage devices.
Restrict the access privileges of employees and outside service providers and contractors who don't need access to certain information to do their job. Promote awareness and training on security and privacy issues and implement and enforce internal policies and procedures.
When collecting and processing personal information, follow these simple guidelines:
a) Ask permission before you collect, use or share personal information.
b) Collect the minimum amount of information necessary to achieve your business purposes.
c) Tell people what you are doing with their information and who you are sharing it with.
d) Only keep it for the minimum time necessary.
So before POPI becomes law, get proactive about privacy.
About Steve Ferguson
Steve Ferguson is an attorney who specialises in the field of intellectual property and IT law. Steve has been involved in the tech and media industries since 2003 and has helped a number of exciting businesses, including Bizcommunity, navigate the legal issues facing them in the digital age.