Home Media Industry Articles The POPI Act: Differentiating Business Through Increased Consumer Confidence

The POPI Act: Differentiating Business Through Increased Consumer Confidence

Crimes committed using compromised personal information has left consumers reluctant to give out their data. Without a massive shift in how business is done, organisations that rely on these details will likely lose customers.

This is according to Pontso Nyathi, Head of Forensic Services of SizweNtsalubaGobodo (SNG), South Africa’s largest national black-owned accounting firm.

However, Nyathi believes that the POPI (Protection of Personal Information) Act will help preserve and rebuild consumer confidence as the regulation is designed to protect customers from the misuse of their personal information.

"It is in the best interest of business owners to ensure their practice is POPI-compliant and we have strongly encouraged our clients to make the necessary changes as soon as possible,” says Nyathi. "Consumers will feel more confident doing business with a POPI-compliant company, knowing that their personal details will not be compromised or used for other purposes.”

Complying with the Act involves an array of activities including gap assessment, design of processes and procedures, overhaul of IT systems or environment focusing on information governance, and awareness of POPI Act within the organisation.

The POPI Act will allow the Regulator to institute a civil action for damages against a responsible party for breach of any provision of the Act whether or not there is intent or negligence on the part of the responsible party.

The Act will be beneficial to both consumers and to businesses. For consumers, the POPI Act will help to restore the lost trust and compliant businesses will be viewed as having an additional value that will differentiate the organisation from its competition.

The impact of low consumer confidence

Telemarketing companies which sell products over the phone have been negatively impacted by consumer skepticism, as people refuse to share their personal information over the phone. The apprehension is twofold, doubting the operational legitimacy, and concern about potential compromise of personal information.

POPI regulations will also allow the public to submit a request to a company in order to have their personal records removed or rectified. Such demands may place an excessive hardship upon the responsible company.

This cynicism does not only impact the telemarketing companies but all companies that need personal information. Customers have demanded assurance that their personal information will be protected, and that it will be used solely for the purpose for which it was taken.

Complying with the POPI ACT

The POPI Act became partially effective from 11 April 2014, but anyone who would like to comment on the draft regulations must do so on or before 7 November 2017. Once the regulations come into full effect, companies will have a grace period of one year to comply.

For now, the Information Regulator is counting on organisations' voluntarily complying however, after the grace period expires, the penalty for non-compliance is strict. Non-compliant organisations risk being sued by data subjects, accruing legal costs, and the negative image, which may ultimately destroy the value of the organisation.

In addition, the Regulator may levy administrative fines on organizations of up to R10 million, should they fail to comply with the requirements of the Act. The Regulator may also choose to pursue criminal prosecution, and if found guilty, convicted person will face imprisonment for a period not exceeding 10 months or 12 years, depending on the sections of the Act that have been contravened.

The POPI Act is applicable to all organisations in South Africa, including other Regulators.