You’ve heard of heightened data privacy and the PoPI Act, but is your small business prepared to comply? The Protection of Personal Information Act (POPIA) took effect in 2020, however firms must be compliant by July 1, 2021. Despite the fact that change is on the horizon, it is nothing to be afraid of. The Act only formalizes existing privacy standards, and South Africa is quickly following in the footsteps of the European Union (EU) and the United Nations (UN).

Businesses must have a formalized process in place to demonstrate compliance, but as Dr. Peter Tobin, a POPI Act compliance specialist, points out, “Businesses that demonstrate POPIA compliance are more likely to earn the respect and loyalty of their customers, as well as to increase their chances of local and international trading and success.”

We take a look at what the PoPI act is and how to be PoPI compliant.

The PoPI Act was enacted to serve a specific purpose.

The purpose of the PoPI Act is to explicitly protect consumer personal information that is accessible to both private and public organizations. “A responsible party must ensure the integrity and confidentiality of personal information in its possession or control by implementing adequate, reasonable technical and organisational means to prevent—,” according to Section 19 of the Act.

Personal information loss, damage, or unauthorised destruction; and unauthorized access to or processing of personal information.”

The goal is to provide customers more control over what and how their data is used by potentially illegal parties, as well as to ensure that businesses are taking the appropriate precautions to protect personal data.

Is the Act applicable to my company?

If your company collects personal information from clients or consumers in any manner, shape, or form, you must comply with the POPIA.

How data is stored, processed and used must be inspected to ensure safety protocols are in place, and this information must be made available to clients or customers for full transparency. Your clients or customers may also request what personal information of theirs you have stored, and they may ask you to delete it.

If for example a customer used to have an account with a clothing store, and still receives promotional emails despite cancelling the account several years ago, the store will be in contravention of the Act. A business cannot use old customer information as part of their marketing efforts, and must delete the information after a set period of time.

To ensure that safety standards are in place, the way data is saved, processed, and used must be examined, and this information must be made available to clients or customers for complete transparency. Your clients or customers have the right to know what personal information you have on them and to have it deleted.

If a customer had an account with a clothes store and continues to get promotional emails despite canceling the account several years ago, the store will be in violation of the Act. A company cannot use old client information in its marketing activities and must destroy it after a certain amount of time has passed.

How to Comply with the PoPI Act

While the formalization of this process will be novel to many firms, it does not necessitate the hiring of a new team of data security experts or a complete system overhaul. Simply be mindful of how the information you collect is stored and utilized, and make sure that solid security procedures are in place to protect critical data.

To guarantee that your business is PoPI compliant, perform these simple steps:

1. Form a team or appoint an information officer (depending on the size of your business)

2. Recognize how the information you gather is handled and preserved.

The following are some questions to ask your marketing team or IO:

• Is the information you collect collected on computers with security software?
• How do clients or consumers offer their permission for their data to be collected?
• How are clients and customers informed about how their data will be used?
• Is the information you collect shared with third parties, and if so, does the client or customer know?
• What happens to obsolete client or customer information that is no longer needed?
• Is it possible for clients or customers to make changes to how their data is stored and used?

3. If necessary, review and update your present data security methods and policies.

4. Include these security protocols on your website and in any correspondence with clients or customers.

5. Make a guidebook for the Promotion of Access to Information Act (PAIA) or update it.

How to Prevent Data Breach on the Internet

Although we will never be able to completely eliminate online data breaches, there are a number of precautions you can take to protect client or customer information online. They are as follows:

• Register your domain name and secure it with an SSL certificate from a reputable company.
• Make sure your site hosting service has a reliable data backup option.
• If your workers work remotely and connect to a variety of public networks, consider investing in a VPN solution.

The purpose of the PoPIA act is not to catch businesses off guard, but rather to provide more transparency to consumers in an age where data gathering and storage are not always clear.