Just under one year ago, President Cyril Ramaphosa declared that by 01 July 2021, all South African businesses will be required to have put the necessary measures in place to become fully compliant with the new Protection of Personal Information Act (POPIA). The implementation of this Act is to ensure better data management and data security, and make businesses more accountable when it comes to how they use the public’s data – bringing South Africa’s privacy laws in line with international standards. It will limit how companies can use and store data such as customer email addresses (which might have historically been used for direct sales leads or dissemination of company newsletters).
Why the POPIA is Necessary?
In essence, the POPIA promotes the protection of personal information by businesses and organisations across the public and private sector. Historically the laws around the use of personal details were less stringent, and – with data breaches on the rise – this new Act works to better protect consumers from security breaches, theft, and discrimination. Based upon three core principles: responsibility, security, and consent, POPI holds all data processors accountable, regardless of the size of their databases. Every business that is online and collecting any form of data from their customers is unfortunately vulnerable to a cyberattack. Therefore, small and medium enterprises (SMEs) are not exempt from needing to become POPIA compliant.
SMEs are Just as Vulnerable to Cyber Crime
According to a report by Accenture, South Africa has the third-highest number of cyber-attacks, which collectively lead to losses of over R2 billion a year. In one of the most recent examples, a leading South African health group fell victim to a sophisticated cyber-attack, rendering all their systems offline indefinitely. It has not yet been established whether data was stolen, but the ripple effect of the attack has had a devastating effect on the brand’s reputation and ultimately, its bottom line. Contrary to popular belief, SMEs are just as vulnerable to cyber-attacks as their larger counterparts and as of July will be expected to have the necessary measures in place to adequately protect themselves and their customers.
Three Tips to Becoming POPIA Compliant
As the deadline for POPI compliance looms, I offer the following advice to SMEs across the board.
- Upskill your team: With the establishment of the POPIA last year, we’ve seen a mushrooming of related services. Thanks to the laws of supply and demand, SMEs now have access to a wealth of information in the form of training and support. The full legislation can be accessed on the South African Government website (a 76-page PDF document). Choose a few key team members of your team and invest in learning and development around the structural implications of POPIA. The Act is not going anywhere, so staying on top of recent developments is key.
- Audit your marketing strategy: POPIA will have a significant effect on the way you are permitted to market your SME to potential customers. For example, customers must express explicit consent to receiving direct marketing communication from your business. If they do not legally, “opt in,” a business has no right to store or use their information and you will be liable to a fine, should there be customer complaints. It is therefore imperative that your marketing team – or the agency you use – is well-versed on what the implications of the Act are when it comes to marketing strategies.
- Appoint an information officer: As an SME with a handful of employees, you may not consider it necessary to appoint someone who can keep abreast of the times and how POPIA will evolve, but it’s an investment well made. Outsource the responsibility if you have to, but make sure you have an accountable party who is keeping an eye on legislation. The smarter cyber criminals become, the smarter the law will have to become. So, watch this space – there are bound to be more technical developments.