Your guide to what every website owner should know about the South African POPI Act.
Ok, so we’re building you an Awesome Ecommerce Site. It’s user-friendly, fast, and beautiful. Perfect for nudging your customer to fill their cart. Now what?
Before you can process the transaction, you’ll need some info. Like:
- How will they pay? For their convenience, you’ll need their credit card details.
- How can you deliver the item without an address?
- Will you leave it at the door without confirmation that the right person received it?
Will you collect, store, or share this data?
My Precious The new Protection of Personal Information Act (POPI) says this personal information is categorised as precious goods and should be protected. This means one thing: your company has to be very, very careful.
You can be held accountable should you compromise or abuse this personal information. In fact, the consequence of non-compliance could result in 10 years in jail or fines of up to R10 million. As your website developers, we must put the right processes in place, and quickly.
Very few businesses are exempt. Even if your website is not an ecommerce site, POPI has implications for your business. If your business processes, keeps or shares information about customers (or employees) it has to comply.
They’re making it personal
Any information that can identify a person is deemed personal information. Demographic statistics and anonymous survey results don’t qualify.
However these do: photos, videos, contact information, biometric information (blood group etc), ID numbers, history (for example medical or criminal records, employment history and financial information).
So, what’s required for your business to be compliant?
Firstly, when it comes to collecting and recording information, your website must:
- inform the customer when you are about to collect personal information;
- obtain the customer’s consent before collecting that personal information;
- tell the customer what you intend to use their information for (for example, in order to deliver a service).
Secondly, in terms of data storage, you must:
- put electronic security measures in place;
- notify customers if these security measures fail and there is a data breach;
- destroy or delete customer information after using it for the purpose it was intended … and nothing more.
The Act is about responsibility, security, and consent. Here are 3 of the things we will do from our side to help make your business website compliant :
- Update or implement security features to safeguard data against being compromised or stolen. For instance, forms are notorious for security breach opportunities. This is because they store the data on the back end of your website, making it vulnerable to hackers. We can fix this.
- Add a consent confirmation request before allowing personal data to be collected or stored.
- Add a privacy statement to your Ts&Cs. This disclaimer must clearly set out what information you gather; how you manage and store it; and who you will share it with. It must also include the steps you take to secure their personal information.
We can do it!
Your website must be developed to meet the stringent requirements of the POPI data privacy laws. And we only have until 1 July 2021 to get it done. Let’s get started!