In 2021, South Africa had the third-highest number of cybercrime victims worldwide and it cost the economy R2.2-billion a year.
Data is a key asset to any business – that’s why it’s crucial that it’s protected. Data can help businesses understand vital information, such as customer buying behaviour or enable digital payments. However, in the wrong hands, it can be abused. Consider the risk that cyberattacks and data breaches pose to businesses.
According to data presented by AksjeBloggen.com, phishing is responsible for the majority of cyberattacks, resulting in businesses across the globe having to increase their cybersecurity budgets every year. Personal information that is at risk includes phone numbers, ID numbers, dates of birth and financial details.
Not only is this costly to consumers, but also to businesses. The average cost of a data breach to South African companies is R31.6-million, according to the 2020 Cost of a Data Breach report done by the Ponemon Institute.
Because of this, businesses around the world have placed a focus on protecting personal information and fending off data breaches. Following the introduction of the Protection of Personal Information Act (Popia) on 1 July, South Africa is now in line with global data protection standards, such as the European Union’s General Data Protection Regulation (GDPR) laws.
The Act promotes the protection of personal information, safeguarding companies from data breaches and cybercrime and preventing intrusive marketing practices. However, many businesses and marketers are still delaying the process of implementing the new legislation and are unsure of how to comply with the act.
Remaining globally competitive
For South African companies wanting to operate in a global environment, making the changes required by the Act could boost success and widen the net of opportunities. The legislation not only removes the administrative barriers that can hamper international business, it also positions South Africa as an appealing destination for foreign investment due to proper data regulations being in place.
Protecting businesses and stakeholders
Although the Act introduces additional requirements that businesses must comply with, it should be viewed as a positive step for South Africa. The global shift is bringing clear alignment with direct marketing consent and data-protection policies. With the demise of third-party data sharing to protect consumers’ privacy, legislation such as Popia is becoming more relevant and necessary.
In an age where cybercriminals are sharpening their skills, businesses have to take responsibility for how they collect, share, protect and govern access to customer data.
Because the Act’s scope is broad, there are specific conditions in the Act that deal with direct marketing communications, which many businesses struggle with when ensuring they remain compliant.
Here are 4 practical steps businesses can take towards direct marketing compliance:
1. Establish a data rights procedure: If a business holds someone’s personal data on file, that person is a data subject whose rights must be respected in accordance with Popia. All data subjects have the right to access, correct or request to delete their personal data. Be sure to establish a procedure for how you will be handling these requests.
2. Ensure a privacy policy is in place: A privacy policy is a public-facing document that tells customers (or anyone else) what you do with personal information. A privacy policy should be written in clear, plain language and made available via the company’s website or when a customer opts in to share their information. It is advisable to approach a legal specialist to draft proper consent forms, notices and privacy policies in line with Popia.
3. Review your marketing contact database: Any recipient of a company’s marketing communications must have voluntarily opted in to communications, must be contacted for a specific purpose and must be informed about the type of communication they will receive. When collecting personal information, this should also include a link to the company’s privacy policy.
Alternatively, recipients could already be existing customers if the company is marketing products or services that are similar to those offered when the company first acquired their personal details. With each new marketing email sent, customers must have the option to unsubscribe.
4. Continuously update databases with customer preferences: Customer databases must be managed more effectively to adhere to customer requests to opt out of marketing communications. This involves proper records of customer information, including where, how and when information was initially obtained; whether they’re an existing customer and, if so, what products or services they’re interested in; whether consent was obtained to receive direct marketing; and whether they’ve unsubscribed from any direct marketing communication.
Technology is an enabler of Popia compliance
If businesses are still unsure whether they have the required consent from customers, there are easy ways to obtain it, such as the right marketing tools. These should support compliance and uphold data governance standards. For example, Mobiz ensures that customers have access to multiple tools to assist with compliance, such as QR codes to obtain consent and collect first-party data, double opt-in SMSes, automatic opt-out list management, a data retention policy for unused customer data, secured landing pages and secure data upload, which is encrypted both in transit and at rest.
Implementing the changes that the Act brings doesn’t have to be a daunting task. By knowing how to go about it with the proper tools, businesses can become compliant in order to protect themselves and their customers.