Don’t place too much emphasis on the Protection of Personal Information Act

With the Protection of Personal Information Act signed and likely to be implemented to some degree sometime this year, it is fashionable to focus on POPI when thinking about data protection and privacy. While POPI is a very important Act, a complete data protection review has to take into account much more. I prepared a diagram to give you a quick overview of what you should be considering when you assess your compliance readiness.

2014-01-14 Privacy is more than just POPI

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.