Do you currently use a service provider or agency to execute your customer communication campaigns? If so, you need to ensure they are preparing for the Protection of Personal Information Act (POPI).

Although only certain sections of the Act were enacted in November 2013, namely the definition of key concepts, such as “Data Subject” and “Responsible Party,” and the sections that allow for the establishment of the necessary authorities;  the rest of the Act is expected to commence in May 2017. Thereafter, it is expected that companies and their service providers will have one year to comply.

Likewise, if you consider outsourcing certain communication processes in the future, this Act will place additional demands on how you select that agency, the responsibilities of each party and the contractual terms that govern the relationship.

Defining the” Operators” in the POPI Act

Large corporates typically engage with multiple communications agencies (referred to as “Operators” in the Act) who are required to process customer information in the course of providing their services.

The list can include all or a combination of the following:

• A below the line agency doing postal mailshots
• A digital agency executing email and SMS campaigns
• A WASP receiving data to send personalized text messages
• CRM or data specialists contracted to perform segmentation and analysis of customer and transactional data

As the Responsible Party, the organization which controls the data remains accountable for the security of their customer’s information, and for their own compliance with the Act.

This means that if you hand over your customer’s personal information to a third party for any reason, you better be sure that they are compliant with the Act’s provisions and are vigilant about data security.

Here are 5 questions to ask your communications agency in preparation for POPI:

1. Have you conducted a gap analysis to prepare for POPI?

Why ask this? A gap analysis will highlight the areas in which the agency does not yet comply and this will form the basis of their planning. The analysis must cover processes, technology, staff education and crisis management in the event of a data breach. This exercise will also assist in defining the split of responsibilities between you as the data owner and the agency as the data processor.

2. What are your plans to achieve compliance and by when?

Why ask this? Because interventions are likely to be required at multiple levels, delaying POPI readiness until the clock starts ticking is risky for a communications agency, especially one that uses technology to process data. There needs to be a high level of ownership at the executive level, supported by detailed work streams to address each identified gap.

3. Who is your Information Officer?

Why ask this? Every organization that processes data is required to appoint and train an Information Officer. This person must have a clear mandate and work within specific guidelines for the development and maintenance of adequate security procedures. The responsibility that rests with the Information Officer in a communications agency is significant.

4. What are your Security Policies and procedures in the event of a data breach?

Why ask this? It is very important that an agency’s policies around data security are documented and there are clear procedures for how data is received, stored, processed and destroyed in the normal course of business. In addition, there needs to be a clearly defined risk management process in the event of a data breach. Who is responsible? What will be done? How will this be communicated? These are all considerations that cannot be figured out in the midst of a crisis.

5. What training has been provided to your staff?

Why ask this? It’s imperative that the agency’s staff and yours have been educated on data protection, risk and preventative measures. As you do in the event of a physical crisis (fire!) staff should be regularly trained and run drills on what is required in the event of a data breach. Get proof from the agency that all their employees have received the appropriate training and understand their personal responsibility in securing your customer data.

Protecting all players in the communication chain

Our communications industry has long operated on codes of good practice with regard to dealing with customer information. Now the POPI Act requires more transparency and formalisation of each party’s responsibilities around data security. This may be seen as a short term burden, but in the long term, it protects all the players in the chain – the consumer, the data owner and the agency that facilitates the communication flow between them.

So why in this age of convenience and online savvy are so many companies struggling to get their customers to sign up to electronic billing? Portals have been built, consolidators have been launched but still, consumers are not flocking to switch off that piece of paper.

Is it easy to say yes?

It all comes down to convenience. It’s the convenience of receiving the document easily and this is where sending it attached to an email is crucial (I don’t want to have to fetch my document from a website, when my mailman delivers it to my door without me having to do a thing). It’s also about the convenience of the sign up process. We need to think about how easy it is for customers to say yes to electronic billing.

Persuading customers to consent is more than just blasting an email out asking them to register.