The Protection of Personal Information Act aims to protect consumers from the sale or illegal use of any personal information without their permission. This is good news for the consumer (all of us) as it ensures the protection of our data and stops all the unsolicited direct marketing attempts from businesses that bought your details for the right price from highly reputed and listed companies. However, for business the act means that drastic changes need to be made in how companies market and use customers’ personal information.
Companies that ignore the Act will do so at their peril. Consumers are fed up with up the tons of spam that finds its way into our inboxes and onto our mobiles and the realities are that in South Africa, a startling 91% of all emails are spam.
The Act consists of 8 information protection principles which conform to international standards, these range from Accountability to Security Safeguards. The responsibility for the monitoring and enforcement of compliance will rest with the Information Protection Regulator and organisations that fail to comply with the Act will face civil liability claims, criminal sanctions, significant reputational damage and in severe cases a 10 year prison sentence.
South African business needs to make sure that their policies, processes and training are up to standard because there are many areas where a company can fall short. Businesses need to make sure that they have centralised databases containing customer information as well as up-to-date opt-out lists. Processes and policies with employees and third parties have to be water tight to avoid liabilities and regular training needs to be introduced in order to teach employees the correct and safe way to process and store customer information because a spreadsheet on Excel is no longer acceptable.
Most retailers, especially those with a decentralised marketing approach (i.e. every branch does its own marketing) are particularly vulnerable. These businesses with many branches, systems and customer databases will have to make will have to make substantial changes. A single customer repository or database is essential because if a customer wants to opt-out at one branch, they actually opt-out of the entire company and if the customer still continues to get marketing messages from another branch then the company will be held accountable.