"By ensuring consumers' rights and information are protected, we are creating an environment where customers are more confident to hand over their information and transact electronically. However, reaching compliance can be a significant challenge, especially for the smaller retailers," explains Angelina dos Santos-Barrett, customer engagement product manager at Innervation Value Added Services.
Despite its harmless sounding acronym, POPI has substantial penalties. Anyone who contravenes its provisions faces possible prison terms and fines of up to R10 million. More than that, it also allows individuals to institute civil claims so there may be the possibility of further financial loss for wayward retailers.
POPI regulates how anyone who processes personal information must manage, store and secure that information and is designed to prevent the negligent disclosure of personal information.
This means that an organisation can only capture, use or store a customers' personal information with their express consent. While this sounds simple enough, it becomes complex when you look at what the definitions of information are.
This could be anything as obvious as the name, address and ID number. It applies to electronic identifiers such as email addresses, cellphone numbers and social media handles. It takes into account medical, financial and educational history. However, it also includes things like personal opinions, sexual orientations, religious affiliation and any other information relating to individuals.
"The type of information that is being protected is precisely the type of information marketers are looking for when designing campaigns. For retailers this will have implications on many aspects, including loyalty programmes and gift carding."
Compliance to POPI does not stop at securing the data. Retailers will need to make sure that the information they have is accurate, up to date and that as soon as they no longer require it for a specific purpose, the information is destroyed according to the Act's requirements.
"The Act essentially enables consumers to be in control of their own information, allowing them to choose who has it and for what purpose. Many companies are trying to find ways to allow greater control by encouraging customers to update and maintain their own information, which seems to be the sensible route to go. The trick, of course, comes in finding IT solutions, which makes managing compliance simpler and more efficient, while meeting all the requirements.
"Companies will have a year to get their house in order. That means setting up adequate security as well as training staff to oversee the gathering, storing and appropriate use of customer's information. While this is a headache for larger retailers, it could have a significant impact on smaller operations. It makes sense to work with service providers who have integrated as many of the compliance issues into their IT offering as possible and is by the nature of their business already compliant to the CPA and is certified as compliant the PCI security standard," dos Santos-Barrett concludes.
