What are some practical implications of the POPI Act that you need to keep in mind?
Since the POPI Act requires information to be kept only for as long as it is used for a specific purpose, and that personal information should be protected, it means that you need to become much more cognisant of where you are storing personal information.
Since you need to dispose of information that is no longer relevant and continue to update your databases regularly, you need to know exactly where the data is stored and how to access it. While the easiest method would be to have an automated solution to dispose of no-longer-used information, this leaves no margin for error in the automated system and could prove costly to design. The POPI Act requires someone to be appointed as a data custodian and if there is no automation possible, the data custodian will regularly have to update the information manually, which could be quite time-consuming.
You also need to focus on what is stored and why you are storing it. The POPI Act stipulates that only information used for a specific purpose be stored. That is to say that if any data you collect from a data subject is not stored in order to achieve a specific and clearly defined goal, it could hold strict legal implications. You are thus not allowed to store any irrelevant or otherwise excessive information. This is especially true of highly sensitive data (such as financial details) that require excellent data protection to be kept safe from cyber-intruders.
How your data is stored should also be considered. The POPI Act requires security measures to be put in place for any data stored (both physically and digitally), which means that all foreseeable risks to data must be accounted for. Think of the practical implications that this might have for your data servers (such as the need to install CCTV to monitor the servers or the way that you encrypt data for safekeeping).
You can only approach someone once for consent for the collection of their information. What this means for direct marketing is that once an individual declines, you are legally prohibited from contacting them again for their information. Data subjects are also at liberty to access their collected information on request and may ask who has access to that information. This means that whose information you collect and use matters, as well as who has access to and/or uses that information. Unless express consent is given from a data subject, you are by no means allowed to share any of their data with a third-party.
Time is ticking on for businesses to become compliant. When the 1st of July 2021 arrives, businesses will be expected to have become compliant with the POPI Act. This means that before the date arrives, businesses will need to have done a data audit to make sure that their data only holds the personal information that the POPI Act allows and implement policies that regulate information collection, storage, processing and destruction. Making sure that you are compliant will take time because deliberate changes need to be made in how you handle personal information, something which cannot be left until the last moment.
One of the best things that businesses can do from here on out is to implement processes that will normalise POPI Act compliance in the day-to-day operation of the business. The sooner, the better.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. (E&OE)