What is the POPI Act (POPIA) and why is it important to small businesses?

By now you have probably had a flood of emails in your inbox reminding you that you are subscribed to a newsletter or asking for you to opt-in to a newsletter as part of a company’s efforts to get in line with the Protection of Personal Information Act (POPIA/ POPI Act) that took effect on the 1st of July 2021. 

The aim of the POPIA is to force businesses and government agencies to adhere to a code of conduct that governs how personal information is gathered, stored, and used. So how does this affect your small business?

Let’s start by defining personal information: “Personal Information means information identifiable to any person” – Law Insider. This information includes but is not limited to:

  • Race
  • Gender
  • Sex
  • Marital status
  • National / ethnic / social origin
  • Colour
  • Sexual orientation
  • Age
  • Disability
  • Religion / beliefs / culture
  • Language
  • Educational / medical / financial / criminal or employment history
  • ID number
  • Email address
  • Physical address
  • Telephone number
  • Location
  • IP address

Even those cookies you have on your website to track traffic contain unique identifiers of customers and need to be managed in accordance with POPIA. 

1. Collecting information without infringing on the POPI Act

A database of customer contact details is often the most valuable marketing resource a business has. These are people who have in the past indicated they like you and want to hear more from you. POPIA requires three conditions to be met; 1. The customer is told clearly what their information will be used for before they submit (e.g. “we will use your email address to send you special offers once a week.”), 2. The customer must opt-in to allow you to use the data for marketing or other purposes, 3. No unnecessary data must be collected (e.g. If you are selling scatter cushions it would be unnecessary to request the customers’ race). 

NOTE: If you have already been collecting customer data in a way that satisfies the above three points then you are golden and do not need to seek pre-approval from your customers to keep their info. 

2. Storing information in accordance with the POPI Act

POPIA requires that all businesses, regardless of size, appoint a POPIA expert or Information Officer. This person or persons are required to ensure that all records that contain personal information are stored in a secure location, either digitally or physically, that only authorised staff have access to. They must insure that information they require and that they use and collection of this personal information is happening in accordance with POPIA. 

The best course of action for a small business is to nominate your marketing guru as the POPIA compliance officer, unless of course, you are the sole owner/ employee meaning you get yet another hat to wear, hooray!

A note on third parties: you are not permitted to share or allow access to information with any third parties whatsoever if you have not obtained permission from the customer to do so. Equally, you may not send emails or make phone calls on a third party’s behalf if you have not obtained the customers’ permission. If you are using a marketing agency (and if the agency is not us how about you give us a shout;) ) you will need to include a point in your terms and conditions that you do share information with a specific third party and why you do so.

3. Using information inline with POPIA

This is critical so listen carefully, no one likes unexpected calls from businesses trying to sell them things. It’s one of my biggest peeves. As a business, you can avoid this by ensuring you have collected the info correctly (see point 1 above if you’ve already forgotten that part) and use the info ONLY in the way you said you would. Did a customer buy something online, provide an email address but did not opt-in to marketing emails? Do not email them. Did a customer fill in a COVID-19 register when they entered your store but did not opt-in to getting phone calls? Do not phone them. 

So what do you need to do to be POPIA compliant?

  1. Nominate a POPIA compliance officer
  2. Ensure your terms and conditions included every way data is collected, handled and used
  3. Collect only necessary data and require an opt-in
  4. Store the data securely 
  5. Use the info customers have trusted you with only in ways you have explicit permission for. 

If you are unsure of any parts of this act you can explore the full text here: https://popia.co.za or you can drop us an email and we will be happy to chat.