Is your communications agency read for POPI?
Do you currently use a service provider or agency to execute your customer communication campaigns? If so, you need to ensure they are preparing for the Protection of Personal Information Act (POPI).
Although only certain sections of the Act were enacted in November 2013, namely the definition of key concepts, such as “Data Subject” and “Responsible Party,” and the sections that allow for the establishment of the necessary authorities; the rest of the Act is expected to commence in May 2017. Thereafter, it is expected that companies and their service providers will have one year to comply.
Likewise, if you consider outsourcing certain communication processes in the future, this Act will place additional demands on how you select that agency, the responsibilities of each party and the contractual terms that govern the relationship.
Defining the” Operators” in the Act
Large corporates typically engage with multiple communications agencies (referred to as “Operators” in the Act) who are required to process customer information in the course of providing their services.
The list can include all or a combination of the following:
- A below the line agency doing postal mailshots
- A digital agency executing email and SMS campaigns
- A WASP receiving data to send personalised text messages
- CRM or data specialists contracted to perform segmentation and analysis of customer and transactional data
As the Responsible Party, the organization which controls the data remains accountable for the security of their customer’s information, and for their own compliance with the Act.
Which means that if you hand over your customer’s personal information to a third party for any reason, you better be sure that they are compliant with the Act’s provisions and are vigilant about data security.
Here are 5 questions to ask your communications agency in preparation for POPI:
- Have you conducted a gap analysis to prepare for POPI?
Why ask this? A gap analysis will highlight the areas in which the agency does not yet comply and this will form the basis of their planning. The analysis must cover processes, technology, staff education and crisis management in the event of a data breach. This exercise will also assist in defining the split of responsibilities between you as the data owner and the agency as the data processor.
- What are your plans to achieve compliance and by when?
Why ask this? Because interventions are likely to be required at multiple levels, delaying POPI readiness until the clock starts ticking is risky for a communications agency, especially one that uses technology to process data. There needs to be a high level of ownership at executive level, supported by detailed work streams to address each identified gap.
- Who is your Information Officer?
Why ask this? Every organisation that processes data is required to appoint and train an Information Officer. This person must have a clear mandate and work within specific guidelines for the development and maintenance of adequate security procedures. The responsibility that rests with the Information Officer in a communications agency is significant.
- What are your Security Policies and procedures in the event of a data breach?
Why ask this? It is very important that an agency’s policies around data security are documented and there are clear procedures for how data is received, stored, processed and destroyed in the normal course of business. In addition, there needs to be a clearly defined risk management process in the event of a data breach. Who is responsible? What will be done? How will this be communicated? These are all considerations that cannot be figured out in the midst of a crisis.
- What training has been provided to your staff?
Why ask this? It’s imperative that the agency’s staff and yours have been educated on data protection, risk and preventative measures. As you do in the event of a physical crisis (fire!) staff should be regularly trained and run drills on what is required in the event of a data breach. Get proof from the agency that all their employees have received the appropriate training and understand their personal responsibility in securing your customer data.
Protecting all players in the communication chain
Our communications industry has long operated on codes of good practice with regards to dealing with customer information. Now the POPI Act requires more transparency and formalisation of each party’s responsibilities around data security. This may be seen as a short term burden, but in the long term it protects all the players in the chain – the consumer, the data owner and the agency that facilitates the communication flow between them.
Get in touch with us
Keen to find out more or get an expert's opinion?