popi update 2013
DESCRIPTION
The Protection of Personal Information Act: Update & Perspectives @ November 2013TRANSCRIPT
THE PROTECTION OF PERSONAL INFORMATION
ACTUpdate & Perspectives @ November 2013
The Protection of Personal Information Act
The Purpose of the Bill is to:
regulate, in harmony with international standards, the processing of personal
information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed
at protecting other rights and important interests
The Protection of Personal Information Act
The President has signed. But the Act is not yet law until 6 months from now, while the regulators set themselves up, and then there is a 1 year compliance holiday, which may be extended by another two years, maybe
The Protection of Personal Information Bill
The President has signed. But it is not yet law until 6 months from now, while the regulators set themselves up, and then there is a 1 year compliance holiday, which may be extended by another two years, maybe
So there are only 18 months to go and the Bill is potentially catastrophic for the contact centre industry, so…
If you* are convicted of an infringement the regulator can fine you up to R10.5 million, imprison you or both!* Are YOU the ‘Responsible Person’?
POPI is based on theEight European Union Principles
(In the Bill, these are called ‘The Conditions’)
1. The POPI Bill is a “Principles” based piece of legislation, and not “Rules based”
POPI Is Based on theEight European Union Principles
(In the Bill, these are called ‘The Conditions’)
1. The POPI Bill is a “Principles” based piece of legislation, and not “Rules based”
2. The Bill is all about “Processing” and not about “Communicating”
POPI Is Based on theEight European Union Principles
(In the Actl, these are called ‘The Conditions’)
1) ACCOUNTABILITY – YOU are a responsible party
Get your Client/Affinity Partner/Data Supplier to
sign an indemnity!!!
POPI Is Based on the Eight European Union Principles
(In the Bill, these are called ‘The Conditions’)
2) PROCESSING LIMITATION– You can’t process personal information unless:
• You have consent from the data subject OR• The processing is necessary for pursuing the legitimate
interests of the responsible party.
1) ACCOUNTABILITY – YOU are a responsible party
Get your Client/Affinity Partner/Data Supplier to
sign an indemnity!!!
3) PURPOSE SPECIFICATION– You must tell everyone that you are processing their data
• This condition will sink all the big prospect databases. How are they going to tell the 40 million people they have on their databases?
• So …. hardly any leads will be available any more
POPI Is Based on theEight European Union Principles
(In the Bill, these are called ‘The Conditions’)
2) PROCESSING LIMITATION– You can’t process personal information unless:
• You have consent from the data subject OR• The processing is necessary for pursuing the legitimate
interests of the responsible party
1) ACCOUNTABILITY – YOU are a responsible party
Get your Client/Affinity Partner/Data Supplier to
sign an indemnity!!!
The 8 EU Principles
4) FURTHER PROCESSING LIMITATION - only process someone’s data for a specific purpose
• You can’t use the data for another totally different campaign/product without getting consent from the data subjects, so you need to ask for a wider permission, such as marketing your full range of products
The 8 EU Principles
4) FURTHER PROCESSING LIMITATION - only process someone’s data for a specific purpose
• You can’t use the data for another totally different campaign/product without getting consent from the data subjects, so you need to ask for a wider permission, such as marketing your full range of products
5) QUALITY of INFORMATION - it must be kept accurate
The 8 EU Principles
4) FURTHER PROCESSING LIMITATION - only process someone’s data for a specific purpose
• You can’t use the data for another totally different campaign/product without getting consent from the data subjects, so you need to ask for a wider permission, such as marketing your full range of products
5) QUALITY of INFORMATION - it must be kept accurate
6) OPENNESS- you must notify the data subject when collecting their informationYou need to tell them what the purpose is, who you are collecting for, the original source, their right to object, etc, etc, etc
The 8 EU Principles
7) SECURITY SAFEGUARDS- keep the data safe or else!
The 8 EU Principles
8) DATA SUBJECT PARTICIPATION- a data subject, that means anyone, has the right of:
• Access to their information,• and they can tell you to update it,• delete it• provide credible evidence as to where you got it• etc, etc, etc
7) SECURITY SAFEGUARDS- keep the data safe or else!
POPI Section 69 – Electronic Communication
Processing personal information for the purpose of sending faxes, emails, SMS’s and calls via ‘automatic calling machines’ is prohibited unless the data subject:
– Has given consent to the processing (you only have ONE chance to ask for consent)
– If the person is a customer and you acquired their data in the process of a sale
– Any communication must contain the identity of the sender and an address so that people can ask to opt-out
POPI Section 69 – Electronic Communication
Processing personal information for the purpose of sending faxes, emails, SMS’s and calls via ‘automatic calling machines’ is prohibited unless the data subject:
– Has given consent to the processing (you only have ONE chance to ask for consent)
– If the person is a customer and you acquired their data in the process of a sale
– Any communication must contain the identity of the sender and an address so that people can ask to opt-out
A judge could easily rule that a dialler (predictive, or otherwise) is also an ‘Automatic Dialling Machine’. It is hoped that the regulations will clarify this.
‘Automatic calling machine’ is defined in the Act as a machine that is able to do automated calls without human intervention.
POPI – The Opt-In / Opt-Out Scenario
You can process and communicate with consumers via telephone, postal mailing and direct face-to-face sales:
– Provided you have complied with all the principles– And provided that you allow the data subject every opportunity
to opt-out from future communications
POPI – The Opt-In / Opt-Out Scenario
You can process and communicate with consumers via telephone, postal mailing and direct face-to-face sales:
– Provided you have coplied with all the principles– And provided that you allow the data subject every opportunity
to opt-out from future communications
You can process and communicate with consumers via email, SMS, fax and automatic calling machines:
– Provided you have complied with all the principles– And provided that the data subject has opted-in to receive
the communication, or is a customer
• Formulate, draft or revise your protection of Personal Information Policies, Procedures, and Practises
• Investigate and Secure Appropriate Insurance Cover
• Define your Information Security Policies
• Carry out a Risk Analysis
• Assess the Impact on the organization's Marketing and Sales Practices
• Formulate, draft or revise your Incident Response Policy and procedures.
• Review and adapt all documentation, and written and verbal (and electronic) responses. Ensure legal compliance.
• Draft and refine your Access to Information Manual
• Formulate and draft your Monitoring Policy and Procedures
Your POPI ‘To-Do’ List
Source: Michalsons
Tactics & Tips• Take the trouble to read the bill, then talk to a specialist to get a good
understanding of how it specifically affects your business.• The law requires that your company MUST to appoint an INFORMATION
OFFICER, and you need to inform the Regulator of the appointment• Carry out a comprehensive audit of all the personal information of
customers and prospects that you hold in your company, including what outsourcers might hold on your behalf.
• If you are an outsourcer or take on work on behalf of affinity partners, ensure that you get an INDEMNITY AGREEMENT in place as soon as possible.
• Craft a detailed business plan / project to become fully compliant as soon as possible. The clock is ticking!
• Start a vigorous process to get consent from your customers to contact them regarding your full range of products.
• The same goes from your list of hottest prospects. Start now!• We suggest you diversify away from unsolicited marketing and focus on
customer service, debt collection and stimulating inbound sales.• You potentially only have about 18 months left!
www.michalsons.co.za
Useful Contacts
www.databasesolutions.co.za
www.dmasa.org