2024 Mid-Year Intake. Applications for mid-year intake are now open. Apply Now!.

South Africa’s POPI Act – What It Means For Marketers


If you were to ask consumers regarding whether or not they value their personal information, the answer will undoubtedly be yes. Consumers are no longer naive about how their personal information should be protected and they are starting to expect businesses to respect their constitutional right to privacy.

When the POPI act comes into full affect this year, customers will assume that their information will be more secure than ever before. This Act has been developed with the intention to place significantly more restrictions on how information is gathered by businesses and what can and can’t be done with it once it is gathered, for the sake and protection of the South African consumer.

What exactly is the POPI Act ?

The Protection of Personal Information Act (POPIA), also referred to as the POPI Act, is a mandatory code of conduct signed into law in November 2013. It was put into place to ensure that all South African organisations act responsibly when collecting and handling a public or private citizen’s personal information.

It acknowledges the value attached to such information by granting South Africa’s “data subjects” more control over their data in terms of when and how it will be collected, used, and shared.

In short, its purpose is to prevent the collection of personal information without the subject’s prior knowledge and consent. It safeguards every South African’s constitutional right to privacy by ensuring that, if and when their personal data is collected and processed, it is done so fairly, securely, and responsibly.

But how does this impact business?

When you look at it from a marketer’s perspective, it might not receive such a warm welcome. It’s not that marketers disagree that personal data must be protected, it’s just that data collection is such a vital part of the marketing process and limitations to its collection could have far reaching consequences to some companies’ marketing strategies.

In fact, database marketing strategies are based entirely on the collection and analysis of data, so let’s take a look at how they will be impacted.

Although the POPI Act ultimately applies to anyone who collects data for any reason, it zeros in on database marketing with dedicated sections (Sections 69 through to 72) regarding  the regulation of  the information-handling process –  from the moment the information is collected to when it’s been disposed of.

These regulations don’t ban email and database marketing entirely, but it might affect the industry’s dependence on these platforms as the act prohibits the collection of personal information without obtaining prior consent from the subject.

Right now, marketers are essentially free to send marketing messages to anyone, whether it’s via email or SMS, as long as the recipient is given a clear point of exit (the option to opt-out).

However, a few things will need to change once the POPI act comes into full effect.

To keep their databases fully compliant, marketers must receive the subject’s expressed permission before adding them to the communications list.

When it comes to unsubscribing from a mailing list, email and SMS recipients must be given a clear, easy, and most importantly, penalty-free opt-out method.

To make sure that data is collected and processed legally, public and private entities are required to comply with these 8 conditions:

  1. Liability – the individual or organisation collecting the information must abide by all the rules set out by the act.
  2. Boundaries to data collection – Data must be handled in a way that won’t negatively impact the subject’s privacy. This must be done by obtaining their prior consent as well as only collecting the least amount of data needed to complete the task.
  3. Intent – Before collecting information, the subject must first be made aware of what it will be used for.
  4. Additional processing limitations – a subject’s personal information may only be processed further if the current task is relevant to its original purpose.
  5. Data quality – All accumulated data must be kept up to date and accurate at all times, while also keeping in mind its original purpose,
  6. Transparency – all related methods and reasoning pertaining to the collection of data must be properly documented and the subject must always be made aware of when and why their information is being collected.
  7. Data Safety – all personal data must be protected against, among other threats, unauthorised access, loss or damage, and inaccurate modifications to ensure that it stays confidential. Should the data be compromised, the subject must be notified immediately.
  8. Subject participation – subjects whose data has been collected in the past are entitled to ask for details surrounding the collection and use of their information, provided they are able to produce some form of identity.

When will it come into effect?

This part is still unclear. Despite rumours that POPIA will come into effect in April 2020, no one is 100% sure when it will be fully implemented. It has, however, been released in segments since its announcement in 2013. This uncertainty leaves businesses and marketers in a somewhat panicked state since many business practices rely on the collection of user data to improve operations.

One thing is for sure though, following its release date, businesses will have 12 months (1 year) to get their ducks in a row.

How far is SA from being fully compliant?

A survey conducted by Sophos, a frontrunner in global network security, says that only 34% of South Africa’s organisations are prepared to fully comply before the deadline.

Regional manager of Sophos South Africa, Pieter Nel, says that the best way to prepare for the POPI Act is to “implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods.”

Nel warns that “creating a data protection strategy can be a daunting process, especially if it hasn’t previously been a focus area for organisations. Securing against major threats that cause data breaches is a great place to begin.”

What will happen if businesses don’t comply?

In short, anyone found guilty of misusing this information will be held liable to pay a fine of up to – brace yourself – R10 million and/or serve a prison sentence of up to 10 years.

The upside

It may not seem like it now, but marketers that comply with the POPI act will not only see an increase in engagement and ROI due to increased trust and the fact that their marketing efforts will only be directed at prospects that have indicated an interest, but they will also be able to streamline their data collection process

Disclaimer: This is by no means a complete overview of the POPIA, but rather a summary of the parts affecting the marketing industry. If you’re interested in reading the complete document, you can find it here https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf