POPI Compliance for businesses that collect and store customer data online
But let’s start with a quick overview of what it all means… basically a line has been drawn in the sand for anyone who deals with electronic customer data. There is a new customer data protection act known as the Protection of Personal Information Act (POPI), which is a hot topic for organizations that use personal information of their users. It’s essential to comply with POPI, as once this law is signed, any misuse of the POPI Act and you could find yourself liable for a significant fine or prison sentence.
Now it’s time to get down to the nitty gritty details. Firstly, when collecting data direct marketers will need to entice their audience with a creative strategy to “opt in”, accompanied by an clear disclaimer which the user must consent to before marketers can directly store information. An important thing to note as a marketer is that once users let you use their information, you can only use it for the prime purpose for which it was requested and stipulated in the disclaimer. Another fact to keep in mind is that organisations can only collect data from public domains, which means no more rental database lists.
The second point concerns the storage of information on and offsite, where security, regulations and geographic limitations come into play. Organisations cannot transfer personal information to a foreign third party unless this third party complies with a law or agreement that corresponds to the same principles contained in the POPI Act. If security has been compromised, the affected parties have to be notified immediately. Using cloud storage can be risky because of cross-border data transfers as most suppliers host their cloud in another country. So keep this in mind when depositing information to the cloud and ensure the risk does not transfer from your company.
Touching on the third step of processing data in accordance to the customer data protection act, you will need to notify the Information Protection Regulator that you are disseminating personal information. The eight important conditions that need to be considered when processing data in the POPI Actare: Accountability, Process Limitation, Purpose Specification, Further Process Limitation, Information Quality, Information Security, Openness, and Data Subject Participation.
The next key point is how to destroy customer data in accordance with POPI. User data cannot be retained for longer than necessary and will have to be destroyed. According to BusinessWeek.com, shredding hard drives is most effective, whereby hard drives are literally fed into a machine that destroys them. An alternative is to use the degaussing process, whereby hard drives, floppy disks and computer tapes go through a powerful magnet which scrambles data so it can’t be recovered. Another option is to use special software to “wipe” or overwrite information, basically replacing a computer’s memory with gibberish.
Like this post? Get your free trial today.
TotalSend SMS and Email Marketing