POPIA is good, but a lack of understanding of POPIA often results in overengineering data processes which in turn is bad for business, writes Jason Shedden Chief Operating Officer at Contactable.
The Protection of Personal Information Act (POPIA) is a critically important and necessary piece of legislation that the consumer has long been waiting for. In terms of protecting people’s personal information, it aligns South Africa with markets in the rest of the world and (amongst many other things) it has helped limit the extreme abuse of personal information among more dubious operators, such as groups profiting from relentless sales and robocalls.
Companies of late are striving to be compliant to avoid POPIA’s substantial fines and consequences such as losing customers and brand damage. Ironically however, in doing so, many companies are experiencing churn because they jumped onto the compliance bandwagon without a comprehensive understanding of legislation and as such went too extreme when reengineering their business processes.
Damned if you do or if you don’t? Not entirely – the real issue is that companies fail to put POPIA into context given their risk appetite for using personal information in day-to-day operations.
Let’s compare two extremes as an example by considering different business scenarios for both a bank and a basic service provider. A bank can offer you an account, which allows you to transact with large sums of money. A basic service provider simply needs to verify your particulars in order to “know you” and conclude a service contract.
The two types of accounts represent different levels of risk both in terms of legislation and business consequences, and the scope of personal information they need to onboard a new customer is therefore very different. Both will use KYC (Know Your Customer) processes. Yet the basic service provider would not need to process the same levels of personal information as the bank does and each entity should follow the principal of ‘minimality’ by only collecting the minimum required personal information of their clients. As an example, a bank would require a comprehensive understanding of their client to comply with Anti-money laundering laws, while a service provider would not necessarily. This is the difference between conducting adverse media screens, Politically Exposed Person Screening, Enforcement List Screening or Sanction List Screening or not. It is also the difference between processing a client’s personal biometric data or not (which is classified as special personal information).
In the wake of POPIA, what is often observed however, is that companies often ignore such distinctions and over-engineer their business processes to meet compliance standards not fit for their business and thus lose their “fit for purpose” context which in turn compromises their customers user experience. In the absence of understanding, businesses throw caution to the wind and engineer against the extreme to mitigate legal repercussion. The opposite also holds true in that many businesses, in the absence of understanding, under engineer their business processes because they fear legal retribution and in so doing fall fowl of their own legal requirements for purposes of other legislative influences that effect their business. In both cases the over and under engineering of business process have negative consequences that a simple understanding of POPIA could avoid.
Rather than lay out a series of strict steps that results in a “one size fits all” approach, POPIA outlines general considerations in the act and special reference here applies to Chapter 8, part B from section 26 – 33 where the processing of special personal information applies.
At Contactable we have seen companies take POPIA to extreme measure such that all data is totally anonymised internally and a back office can no longer resolve a client query because they cannot ascertain who the client is. Alternatively, we receive requests to delete all personal information that we process immediately after processing to avoid any unnecessary exposure to data stores, however, a few months later the client is back on our doorstep asking us to undo this request as they can no longer support their customer queries due to a lack of access to data. In all instances, the understanding of POPIA and the true risk is the key to determining the best use of personal information. Your business needs access to some personal information to transact and has a right to such data. For example, a car dealership can ask for someone’s ID number or credit record – how else will they secure a loan from a bank or process the car registration or be able to comply with relevant legislation? You take on a certain level of risk based on the transaction’s context. In this case, the dealership needs processes that safely handles personal information related to a vehicle sale. But it doesn’t have to do more than that and it certainly cannot afford to do less than that.
Context matters, fit for purpose processing matters, CONSENT matters and learning to balance the legal requirements of POPIA with the customer experience is imperative to remain competitive in an ever-changing legal landscape.
If you try and placate every conceivable private data risk, you only damage your ability to transact. On the other hand, if you do not comply with POPIA and other relevant legislation, you might face fines and brand damage. But if you have a clear sense of what type of data you need and why, you can create a balance between laws such as POPIA and the requirement for your business to use personal information in order to transact with your clients.
Don’t fall into the trap where you over-engineer processes out of fear or a wish to mitigate all risks. A blanket approach will not work – every business is different. Fortunately, POPIA gives the space for you to determine your data privacy policy and destiny.