POPI Compliance for businesses that collect and store customer data online

POPI compliant email marketing

Following on from POPI Act: 9 Ways To Ensure Your Business Complies, this POPI article will focus on how to collect, record, store, disseminate and destroy personal information data in a manner that is compliant with the customer data privacy policy‬‬.

But let’s start with a quick overview of what it all means… basically a line has been drawn in the sand for anyone who deals with electronic customer data. There is a new customer data protection act known as the Protection of Personal Information Act (POPI), which is a hot topic for organizations that use personal information of their users. It’s essential to comply with POPI, as once this law is signed, any misuse of the POPI Act and you could find yourself liable for a significant fine or prison sentence.

Data collection

Now it’s time to get down to the nitty gritty details. Firstly, when collecting data direct marketers will need to entice their audience with a creative strategy to “opt in”, accompanied by an clear disclaimer which the user must consent to before marketers can directly store information. An important thing to note as a marketer is that once users let you use their information, you can only use it for the prime purpose for which it was requested and stipulated in the disclaimer. Another fact to keep in mind is that organisations can only collect data from public domains, which means no more rental database lists.

Data storage

The second point concerns the storage of information on and offsite, where security, regulations and geographic limitations come into playOrganisations cannot transfer personal information to a foreign third party unless this third party complies with a law or agreement that corresponds to the same principles contained in the POPI Act. If security has been compromised, the affected parties have to be notified immediately. Using cloud storage can be risky because of cross-border data transfers as most suppliers host their cloud in another country. So keep this in mind when depositing information to the cloud and ensure the risk does not transfer from your company.

Data processing

Touching on the third step of processing data in accordance to the customer data protection act, you will need to notify the Information Protection Regulator that you are disseminating personal information. The eight important conditions that need to be considered when processing data in the POPI Actare: Accountability, Process Limitation, Purpose Specification, Further Process Limitation, Information Quality, Information Security, Openness, and Data Subject Participation.

Destroying data

The next key point is how to destroy customer data in accordance with POPI. User data cannot be retained for longer than necessary and will have to be destroyed. According to BusinessWeek.com, shredding hard drives is most effective, whereby hard drives are literally fed into a machine that destroys them. An alternative is to use the degaussing process, whereby hard drives, floppy disks and computer tapes go through a powerful magnet which scrambles data so it can’t be recovered. Another option is to use special software to “wipe” or overwrite information, basically replacing a computer’s memory with gibberish.

Remember that despite the effort of getting your head around all the legislation, this customer data privacy policy facilitates a positive way to improve customer relationship management. The more knowledge and understanding of the POPI Act you have, the better position your company will be in. Look out for the next article in this series soon.