popi update 2013

THE PROTECTION OF PERSONAL INFORMATION

ACTUpdate & Perspectives @ November 2013

The Protection of Personal Information Act

The Purpose of the Bill is to:

regulate, in harmony with international standards, the processing of personal

information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed

at protecting other rights and important interests

The Protection of Personal Information Act

The President has signed. But the Act is not yet law until 6 months from now, while the regulators set themselves up, and then there is a 1 year compliance holiday, which may be extended by another two years, maybe

The Protection of Personal Information Bill

The President has signed. But it is not yet law until 6 months from now, while the regulators set themselves up, and then there is a 1 year compliance holiday, which may be extended by another two years, maybe

So there are only 18 months to go and the Bill is potentially catastrophic for the contact centre industry, so…

If you* are convicted of an infringement the regulator can fine you up to R10.5 million, imprison you or both!* Are YOU the ‘Responsible Person’?

POPI is based on theEight European Union Principles

(In the Bill, these are called ‘The Conditions’)

1. The POPI Bill is a “Principles” based piece of legislation, and not “Rules based”

POPI Is Based on theEight European Union Principles


1. The POPI Bill is a “Principles” based piece of legislation, and not “Rules based”

2. The Bill is all about “Processing” and not about “Communicating”


(In the Actl, these are called ‘The Conditions’)

1) ACCOUNTABILITY – YOU are a responsible party

Get your Client/Affinity Partner/Data Supplier to

sign an indemnity!!!

POPI Is Based on the Eight European Union Principles


2) PROCESSING LIMITATION– You can’t process personal information unless:

• You have consent from the data subject OR• The processing is necessary for pursuing the legitimate

interests of the responsible party.




3) PURPOSE SPECIFICATION– You must tell everyone that you are processing their data

• This condition will sink all the big prospect databases. How are they going to tell the 40 million people they have on their databases?

• So …. hardly any leads will be available any more



2) PROCESSING LIMITATION– You can’t process personal information unless:

• You have consent from the data subject OR• The processing is necessary for pursuing the legitimate

interests of the responsible party




The 8 EU Principles

4) FURTHER PROCESSING LIMITATION - only process someone’s data for a specific purpose

• You can’t use the data for another totally different campaign/product without getting consent from the data subjects, so you need to ask for a wider permission, such as marketing your full range of products

The 8 EU Principles



5) QUALITY of INFORMATION - it must be kept accurate

The 8 EU Principles



5) QUALITY of INFORMATION - it must be kept accurate

6) OPENNESS- you must notify the data subject when collecting their informationYou need to tell them what the purpose is, who you are collecting for, the original source, their right to object, etc, etc, etc

The 8 EU Principles

7) SECURITY SAFEGUARDS- keep the data safe or else!

The 8 EU Principles

8) DATA SUBJECT PARTICIPATION- a data subject, that means anyone, has the right of:

• Access to their information,• and they can tell you to update it,• delete it• provide credible evidence as to where you got it• etc, etc, etc

7) SECURITY SAFEGUARDS- keep the data safe or else!

POPI Section 69 – Electronic Communication

Processing personal information for the purpose of sending faxes, emails, SMS’s and calls via ‘automatic calling machines’ is prohibited unless the data subject:

– Has given consent to the processing (you only have ONE chance to ask for consent)

– If the person is a customer and you acquired their data in the process of a sale

– Any communication must contain the identity of the sender and an address so that people can ask to opt-out

POPI Section 69 – Electronic Communication

Processing personal information for the purpose of sending faxes, emails, SMS’s and calls via ‘automatic calling machines’ is prohibited unless the data subject:

– Has given consent to the processing (you only have ONE chance to ask for consent)

– If the person is a customer and you acquired their data in the process of a sale

– Any communication must contain the identity of the sender and an address so that people can ask to opt-out

A judge could easily rule that a dialler (predictive, or otherwise) is also an ‘Automatic Dialling Machine’. It is hoped that the regulations will clarify this.

‘Automatic calling machine’ is defined in the Act as a machine that is able to do automated calls without human intervention.

POPI – The Opt-In / Opt-Out Scenario

You can process and communicate with consumers via telephone, postal mailing and direct face-to-face sales:

– Provided you have complied with all the principles– And provided that you allow the data subject every opportunity

to opt-out from future communications

POPI – The Opt-In / Opt-Out Scenario

You can process and communicate with consumers via telephone, postal mailing and direct face-to-face sales:

– Provided you have coplied with all the principles– And provided that you allow the data subject every opportunity

to opt-out from future communications

You can process and communicate with consumers via email, SMS, fax and automatic calling machines:

– Provided you have complied with all the principles– And provided that the data subject has opted-in to receive

the communication, or is a customer

• Formulate, draft or revise your protection of Personal Information Policies, Procedures, and Practises

• Investigate and Secure Appropriate Insurance Cover

• Define your Information Security Policies

• Carry out a Risk Analysis

• Assess the Impact on the organization's Marketing and Sales Practices

• Formulate, draft or revise your Incident Response Policy and procedures.

• Review and adapt all documentation, and written and verbal (and electronic) responses. Ensure legal compliance.

• Draft and refine your Access to Information Manual

• Formulate and draft your Monitoring Policy and Procedures

Your POPI ‘To-Do’ List

Source: Michalsons

Tactics & Tips• Take the trouble to read the bill, then talk to a specialist to get a good

understanding of how it specifically affects your business.• The law requires that your company MUST to appoint an INFORMATION

OFFICER, and you need to inform the Regulator of the appointment• Carry out a comprehensive audit of all the personal information of

customers and prospects that you hold in your company, including what outsourcers might hold on your behalf.

• If you are an outsourcer or take on work on behalf of affinity partners, ensure that you get an INDEMNITY AGREEMENT in place as soon as possible.

• Craft a detailed business plan / project to become fully compliant as soon as possible. The clock is ticking!

• Start a vigorous process to get consent from your customers to contact them regarding your full range of products.

• The same goes from your list of hottest prospects. Start now!• We suggest you diversify away from unsolicited marketing and focus on

customer service, debt collection and stimulating inbound sales.• You potentially only have about 18 months left!

www.michalsons.co.za

Useful Contacts

www.databasesolutions.co.za

www.dmasa.org

popi update 2013

Business