Feature topic

POPIA is coming. What should we do?

  • subject to the South African President, the Protection of Personal Information Act, 2013 ("POPIA") is due to come into effect on 1 April 2020. What should organisations do to start getting ready for POPIA?
    1. don't panic – POPIA has an implementation period of 12 months from 1 April 2020, so it is not too late to start your compliance journey.
    2. don't procrastinate – POPIA compliance is not an overnight event, it is a journey. While number one above applies, this does not mean that organisations should wait until 2021 to start their compliance journeys. Start as early as possible.
    3. seize the opportunity – a well-structured POPIA compliance journey can actually lead to profit for organisations who use the journey to get smart about how data is used.
    4. obtain executive buy-in – without backing of management and allocation of resources, POPIA compliance will not be achieved. The fact that the CEO of a private organisation is the default Information Officer and POPIA as read with the Promotion of Access to Information Act, 2000 ("PAIA") imposes personal liability on the Information Officer in certain instances should be incentive enough to comply. The threat of fines, penalties and worst of all, reputational loss, should be even bigger incentives to comply.
    5. find trusted and experienced advisors – if we learn from examples of what happened in Europe prior to the General Data Protection Regulation ("GDPR") implementation date as well as the popping up of market entrants holding themselves out to the "POPIA experts", pick your POPIA advisor carefully. Vet and verify their experience and claim to expertise and ensure that they are not just being opportunistic in offering services after attending one seminar on POPIA.
    6. it's not just law – organisations will need a mix of legal, technological and change management solutions to get compliant. ENSafrica (together with select reputable IT companies) offers an end-to-end compliance solution which factors in legal tools (such as our POPIA Toolkit), use of technology, and change management professionals where needed.
    7. use quick wins – the POPIA Toolkit designed by ENSafrica helps organisations to fast track their compliance efforts.
    8. call or email our POPIA experts, it's virtually free – the call may cost you just a few minutes in airtime spend (the email a little in data), but we promise we will not charge you for our time taken on the call.

POPIA in brief

Direct marketing in terms of POPIA and GDPR

  • there is a widespread misconception in the market at the moment about what consent to electronic direct marketing (ie, opt in clauses) means. This is partly because it is often assumed that the European Union ("EU") sets the "gold standard" for data protection and that any opt-in consent clauses that meet the EU requirements should suffice in South Africa, too. But this is not correct.
  • firstly, it is important to distinguish between the situation in the EU and that in South Africa.
    • sending of direct marketing communications in the EU is regulated by both the GDPR and the ePrivacy Directive ("ePD") (which will soon be replaced by the ePrivacy Regulation ("ePR")).
    • as a general rule, article 16(1) of the ePR requires companies to obtain endusers' consent before sending electronic direct marketing communications to them (ie, an "opt-in" requirement). This consent is defined by reference to articles 4(11) and 7 of the GDPR and must be a freely given, specific, informed and unambiguous indication of wishes expressed by a statement of a clear affirmative action. Often, such consent is expressed by ticking a box.
    • while opt-in remains the standard for direct marketing communications in electronic form in the EU, article 16(2) of the ePR provides an exemption to that rule, known as the "soft opt-in", where three conditions need to be met:
      • the electronic contact details must have been obtained by the person wishing to send direct marketing (ie, the controller) from end-users who are natural persons, in the context of the sale or purchase of a product or a service;
      • the end-users must clearly and distinctly be given the opportunity to object, free of charge and in an easy manner, to the use of their contact details for direct marketing at the time of collection of these contact details. If that end-user has not initially refused that use, they must also be able to opt out each time the controller sends a message to that end-user for the purpose of direct marketing; and
      • the electronic contact details may only be used for direct marketing of the controller's own similar products or services.
  • in South Africa, once POPIA comes into force, while the "soft opt-in" will be almost identical to ePR in section 69(3) of POPIA, the "opt-in" requirements will be a lot more stringently regulated under section 69(2).
  • section 69(3) provides that a responsible party may only process the personal information of a data subject who is a customer of the responsible party for the purpose of d
    • the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
    • the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details at the time when the information was collected and on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
  • section 69(2) provides that a responsible party may approach a data subject whose consent is required for direct marketing by electronic means, and who has not previously withheld his or her consent, only once in the prescribed manner and form in order to request the consent of that data subject.
  • the prescribed manner and form were promulgated in terms of regulation 6 of the POPIA Regulations, which stipulates that a responsible party must submit a request for written consent to that data subject on the prescribed Form 4.
  • special attention should be given to the following definitions set out in the POPIA Regulations when interpreting the requirements of Regulation 6:
    • "submit" means submit by data message, electronic communication; registered post; electronic mail; facsimile; and personal delivery;
    • "data message" includes a data message as defined in section 1 of the Electronic Communications and Transactions Act, 2002 ("ECTA") (ie, data generated, sent, received or stored by electronic means and includes voice, where the voice is used in an automated transaction; and a stored record);
    • "writing" includes writing as referred to in section 12 of ECTA (ie, a legal requirement that a document or information must be in writing will be met if it is in the form of a data message; and accessible in a manner usable for subsequent reference);
    • "signature" includes an electronic signature as defined in section 1 of ECTA (ie, data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature); and
    • "form(s)" means a form referred to in the annexures to the POPIA Regulations or any form which is substantially similar. The meaning of "substantially similar" within the context of the POPIA Regulations has, of course, not yet been judicially considered. The court has, however, in different circumstances, held that the word "substantially" means "in the main" or "in its principal essentials" and that a thing is "similar" to another if without being identical with it, there is a resemblance in some relevant respect. In our view, the phrase "substantially similar", in the context of the POPIA Regulations, means that any consent clause, for purposes of direct marketing by electronic means, must resemble or contain the principal essentials of Form 4, but does not have to be identical to it.
  • as such, consent can be obtained in a form containing the essential elements of Form 4, sent to the data subject by means of a data message, such as an email or USSD link, and signed by the data subject by means of an electronic signature. This will make getting Form 4 consent considerably simpler.

To see the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.