The Protection of Personal Information Act (POPI) regulates how personal information is processed by public and private bodies in South Africa. [1] POPI is based on eight principles from the European Union and will become law within 18 months. [2] It imposes strict requirements for obtaining consent, securing data, and allowing individuals to access their personal information. Businesses must appoint an information officer and audit all personal data held to ensure compliance. Non-compliance can result in fines up to R10.5 million or imprisonment. [3]

1. THE PROTECTION OF
PERSONAL INFORMATION
ACT
Update & Perspectives @ November 2013

2. The Protection of Personal
Information Act
The Purpose of the Bill is to:
regulate, in harmony with international
standards, the processing of personal
information by public and private bodies in a
manner that gives effect to the right to privacy,
subject to justifiable limitations that are aimed
at protecting other rights and important
interests

3. The Protection of Personal
Information Act
The President has signed. But the Act is
not yet law until 6 months from now,
while the regulators set themselves up,
and then there is a 1 year compliance
holiday, which may be extended by
another two years, maybe

4. The Protection of Personal
Information Bill
So there are only 18 months to go and
the Bill is potentially catastrophic for
the contact centre industry, so…

5. If you* are convicted of an
infringement the regulator can fine
you up to R10.5 million, imprison
you or both!
* Are YOU the ‘Responsible Person’?

6. POPI is based on the
Eight European Union Principles
(In the Bill, these are called ‘The Conditions’)
1. The POPI Bill is a “Principles” based
piece of legislation, and not “Rules
based”

7. POPI Is Based on the
Eight European Union Principles
(In the Bill, these are called ‘The Conditions’)
2. The Bill is all about “Processing” and
not about “Communicating”

8. POPI Is Based on the
Eight European Union Principles
(In the Actl, these are called ‘The Conditions’)
1) ACCOUNTABILITY
– YOU are a responsible party
Get your Client/Affinity Partner/Data Supplier to
sign an indemnity!!!

9. POPI Is Based on the
Eight European Union Principles
(In the Bill, these are called ‘The Conditions’)
2) PROCESSING LIMITATION
– You can’t process personal information unless:
•
•
You have consent from the data subject OR
The processing is necessary for pursuing the legitimate
interests of the responsible party.

10. POPI Is Based on the
Eight European Union Principles
(In the Bill, these are called ‘The Conditions’)
3) PURPOSE SPECIFICATION
– You must tell everyone that you are processing their data
•
•
This condition will sink all the big prospect databases. How are they
going to tell the 40 million people they have on their databases?
So …. hardly any leads will be available any more

11. The 8 EU Principles
4) FURTHER PROCESSING LIMITATION
- only process someone’s data for a specific purpose
• You can’t use the data for another totally different
campaign/product without getting consent from the data
subjects, so you need to ask for a wider permission, such as
marketing your full range of products

12. The 8 EU Principles
5) QUALITY of INFORMATION
- it must be kept accurate

13. The 8 EU Principles
6) OPENNESS
- you must notify the data subject when collecting
their information
You need to tell them what the purpose is, who you are
collecting for, the original source, their right to object, etc, etc,
etc

14. The 8 EU Principles
7) SECURITY SAFEGUARDS
- keep the data safe or else!

15. The 8 EU Principles
8) DATA SUBJECT PARTICIPATION
- a data subject, that means anyone, has the right of:
•
•
•
•
•
Access to their information,
and they can tell you to update it,
delete it
provide credible evidence as to where you got it
etc, etc, etc

16. POPI Section 69 – Electronic Communication
Processing personal information for the purpose of sending faxes,
emails, SMS’s and calls via ‘automatic calling machines’ is
prohibited unless the data subject:
– Has given consent to the processing (you only have ONE chance to
ask for consent)
– If the person is a customer and you acquired their data in the
process of a sale
– Any communication must contain the identity of the sender and
an address so that people can ask to opt-out

17. POPI Section 69 – Electronic Communication
‘Automatic calling machine’ is defined in the Act as a
machine that is able to do automated calls without human
intervention.
A judge could easily rule that a dialler (predictive, or
otherwise) is also an ‘Automatic Dialling Machine’.
It is hoped that the regulations will clarify this.

18. POPI – The Opt-In / Opt-Out Scenario
You can process and communicate with consumers via telephone,
postal mailing and direct face-to-face sales:
– Provided you have complied with all the principles
– And provided that you allow the data subject every opportunity
to opt-out from future communications

19. POPI – The Opt-In / Opt-Out Scenario
You can process and communicate with consumers via telephone,
postal mailing and direct face-to-face sales:
– Provided you have coplied with all the principles
– And provided that you allow the data subject every opportunity
to opt-out from future communications
You can process and communicate with consumers via email,
SMS, fax and automatic calling machines:
– Provided you have complied with all the principles
– And provided that the data subject has opted-in to receive
the communication, or is a customer

20. Your POPI ‘To-Do’ List
• Formulate, draft or revise your protection of Personal
Information Policies, Procedures, and Practises
• Investigate and Secure Appropriate Insurance Cover
• Define your Information Security Policies
• Carry out a Risk Analysis
• Assess the Impact on the organization's Marketing and Sales
Practices
• Formulate, draft or revise your Incident Response Policy and
procedures.
• Review and adapt all documentation, and written and verbal
(and electronic) responses. Ensure legal compliance.
• Draft and refine your Access to Information Manual
• Formulate and draft your Monitoring Policy and Procedures
Source: Michalsons

21. Tactics & Tips
• Take the trouble to read the bill, then talk to a specialist to get a good
understanding of how it specifically affects your business.
• The law requires that your company MUST to appoint an INFORMATION
OFFICER, and you need to inform the Regulator of the appointment
• Carry out a comprehensive audit of all the personal information of
customers and prospects that you hold in your company, including what
outsourcers might hold on your behalf.
• If you are an outsourcer or take on work on behalf of affinity partners,
ensure that you get an INDEMNITY AGREEMENT in place as soon as
possible.
• Craft a detailed business plan / project to become fully compliant as
soon as possible. The clock is ticking!
• Start a vigorous process to get consent from your customers to contact
them regarding your full range of products.
• The same goes from your list of hottest prospects. Start now!
• We suggest you diversify away from unsolicited marketing and focus on
customer service, debt collection and stimulating inbound sales.
• You potentially only have about 18 months left!

22. Useful Contacts
www.databasesolutions.co.za
www.michalsons.co.za
www.dmasa.org