Understanding POPIA – two sides to the coin

THE Protection of Personal Information Act (POPIA) governs the law of data protection and privacy in South Africa. Set in motion in 2013, the law came into effect in 2020 with a one-year grace period until July 2021.

So what exactly is POPIA and how does it affect businesses and consumers? We spoke to senior lecturer at University of KwaZulu-Natal’s School of Law, Dr Dusty-Lee Donnelly, who outlined the main purpose of the POPI Act – to introduce global standards to South Africa in protecting data.

Donnelly said there are two sides to the coin when it comes to data protection. On the one hand, there is now legal accountability for businesses and organisations in terms of data protection.

“Anyone who is using personal information must comply with the Act and this means amongst other things putting in place organisational training and policies for staff, and having adequate cyber-security and technical controls to be able to detect if someone has intruded on their system. For example, if they become aware that an employee is unlawfully sharing information or if the information has been hacked, they need to report that to the Information Regulator. There are very large fines for non-compliance.  The Information Regulator recently finned the Department of Justice and Constitutional Development R5m for failing to adequately upgrade their cyber security after a data breach in 2021,” said Donnelly

Also read: Technology at its finest at Innovate Durban Pitching Den

On the other side of the coin, the POPI Act empowers individuals to take control of their personal data.

“People need to be aware of their rights under the POPI Act. In many ways, we, as consumers, have become lax about giving away data for free. Consider that if you are giving your data away for free, you are most likely the product. We all sign up for free apps on our cellphones, and in the process, companies are using our data,” said Donnelly.

So if personal data is protected, how do telemarketing companies keep calling?

“While direct marketers are buying your personal information, it is now illegal for them to contact you without your permission according to Section 69 of Popi Act. Popi outlaws direct marketing via electronic communication unless consent is given. They are allowed to approach you once to ask if they can send marketing information, but if you refuse, they cannot ask again – unless you are an existing customer. Then they are allowed to market to you, but you’re allowed to opt-out,” said Donnelly.

“However, there is a loophole in the POPI Act,” says Donnelly.

“Section 69 of the Popi Act applies to electronic communication – emails, sms messages, automatic calling machines – but telemarketers take the view that electronic marketing does not apply to cold calling. They argue that they don’t need your consent to call you because cold calling is part of legitimate practice,” explained Donnelly.

She added that in terms of Section 11(3) of the POPI Act, you have the right to object to this.

Also read: UKZN addresses student food insecurity with sandwich drive

“If you tell a telemarketer that you do not want to receive further calls, it is illegal for them to continue contacting you,” she said.

 Donnelly shared several practical steps to take back control of one’s personal data:

• Ask the marketer to remove you from their call list.  If they still call back, ask for the company’s name and the email address of their Information Officer where you can send a written objection.  The Information Regulator has a written objection form on their website, which you can download for this purpose. Find the form here.
• If you ask, the marketer must say where they obtained your personal information.
• The Direct Marketing Association of South Africa runs a ‘DO NOT CALL’ list.  If the company is a member of the DMA, then they cannot contact you if you have opted out of direct marketing. Visit https://www.nationaloptout.org/ for more details.
• Install Truecaller to identify spam calls, and simply do not answer.
• Block spam numbers on your mobile phone.
• Be vigilant about who you share your personal information with.

Look out for Part 2 of this article where we chat with Prof Sizwe Snail ka Mtuze, Attorney at Law and adjunct professor at Nelson Mandela University who outlines the eight conditions of the POPI Act.