Masterclass Notes: What POPI means for marketers, agencies
by Johanna McDowell (@jomcdowell) Werksmans facilitated the Protection of Personal Information Act (POPI) masterclass for our marketers on the Cape Town IAS programme. POPI will probably have a huge impact on both marketers and their agencies.
Marketers are going to have to be certain that their data is well-secured; this will apply whether marketer looks after their own data or if their agencies are entrusted with this, and might require much more investment by marketers and agencies in IT firewalls and storage software. Therefore, marketers will have to ensure that they select the agencies which have adequate infrastructure for managing data.
Marketers are not going to be able to rely upon consumers to opt out if they do not want to receive communication. Up until now, marketers have been able to continuously communicate to consumers; regardless, this will have to end. No more “inertia selling”.
This will make the need to be more engaging with the consumer even more pressing, as marketers will have to persuade consumers to opt in — and they will only have one chance to do this. This means that the quality of the communication to those consumers is going to have to be clear and very creative from the word go.
Take note and start preparing
The overall rule of POPI is that personal information collected from a “data subject” — the person to whom the information relates — is to be safeguarded by the “responsible parties”. Although the act is not yet in force, marketers are advised to take note and start preparing for the following rules and regulations:
1. The responsible parties are the ones who are:
- Collecting the information
- Recording it
- Storing it
- Updating it
- Disseminating it
So, even if the responsible party is not doing anything with this information it has collected, it has to look after it.
2. The responsible party is not allowed to ask for information it is not going to need for the purpose.
Only directly relevant information may be requested.
3. Personal information definition:
- Race, nationality, ethnicity
- Gender, sex, pregnancy, sexual orientation
- Age, physical or mental health disability
- Religion, conscience, belief
- Contact details, banking details etc
- You (the responsible party) cannot use the information for any other purpose than for which it was collected
- If people think that their data is being used incorrectly, they can complain and have it removed or altered
- In certain cases, you can process the information without permission from the data subject, eg if SARS or similar request it
- Information may only be retained on purpose and can only be processed for that purpose
- A responsible party must take reasonably practical steps to ensure that the personal information collected is not misleading
The POPI act covers all personal details — not just those used for marketing purposes, which only accounts for 10% of the act.
5. Security safeguards
- Information must be protected — adequate firewalls and antivirus software, and must be up to date . Cases such as the recent Sony and Ashley Madison information being leaked onto the web are in conflict with the rules of the act.
- If information does leak, then the responsible party has to tell the people on the database what has happened — and, of course, those people might then take legal action
- Automated decision-making — decisions that affect a data subject — may not solely be based on the information
6. Cross-border processing
Information collected may not be sent out of the country — let’s say your company is within a group of companies in various countries — unless the same data protection policies are in place in the other country.
7. Direct marketing
- The opt-out provision has been in place — inertia selling — until now
- POPI brings a big change in this area ie the responsible party is now REQUIRED to ask the data subject to opt in
- You are only allowed to do this once
- You may not pursue people
- If they do not reply, this is a “NO”
This is probably one of the most-important changes that marketers will have to take note of.
8. Consequences of non-compliance
- Information regulator
- Enforcement committee
- Maximum fine is R10m
Various examples from around the world were shared with the marketers in order to illustrate what happens in places where this legislation is in place:
- Eg a laptop stolen from a home had data on it which could be used and was used — fine was R12m ( equivalent)
- Customer information left open on a desk allowing people to access it — penalty and fine
- Sending the wrong information to people, wrong groups in direct marketing, wrong email addresses used
Training people on the use of this information is therefore essential.
In conclusion, the marketers agreed that information is going to be more vital than ever, the security around this information more and more important, and that several practices currently in place in the market will have to change markedly.
Johanna McDowell (@jomcdowell) is managing director of the Independent Agency Search and Selection Company (IAS), and she is one of the few experts driving this mediation and advisory service in SA and globally. Currently she is running the IAS Marketers Masterclass, a programme consisting of masterclasses held in Cape Town and in Johannesburg. Twice a year she attends AdForum Worldwide Summits.
— MarkLives’ round-up of top ad and media industry news and opinion in your mailbox every Monday and Thursday. Sign up here!