POPI Act – what is it? Why is it important to me? Do I need to do anything about it? And what does it have to do with my website? Here I talk about the main ideas and action points you may need to take to meet requirements.
Hooray! The clapping of hands! Yet another government hurdle to joyously leap over! This new POPI act is terrifically confusing, and as the deadline for compliance looms, do you even know what you’re meant to do about it? Sarcasm aside, however, there is some sense in the madness – as South Africa, usually lagging in such matters, steps up to join the rest of the world on standards of data privacy. Or else they’re not going to play nice with us anymore. The Act applies to every business large or small (online or offline), organisation, NGO, church, and school in the country. It applies to doctors, workshops, guest houses, homeowner associations, consultants, estate agents, you get my drift. And most of us haven’t the foggiest what is expected of us.
Don’t panic! Here’s the big picture to get you some clarity – and if you need help for your business or organisation, hey, I know a guy and I’m going to point you his way (because he’s an expert, knows EXACTLY what you need to do, and he is value for money). As for your website, I’M YOUR GIRL! And you’ve got options, so let’s whack a way through this jungle:
First, you have to understand what this Act expects of you. The highlights? You need to tell your client, customer, member, patient what personal data of theirs you are collecting, get permission from them to collect said data and then tell them how you’re going to use it. And then, you need to keep that data safe from being intercepted by, let’s call them… unauthorised third parties with ill intent. And don’t keep that data for longer than you need to.
Your biggest challenge is likely going to be keeping that data secure. You will need to up your security game, both offline and online. Consider how to:
- Encrypt the devices you process information on – you have to secure things like laptops, phones and so on. Can someone access the data if your device is stolen?
- Secure the software you use to process any of this data. Do you use anything like a password manager, for example?
- Come up with processes to keep printed / paper data safe. Do you have practical procedures in place?
- Train your staff how to work securely with private information. Does your receptionist leave client files out in plain view where the public could have access to them (the case at many doctors’ rooms)?
That’s for starters.
Also, do you share your customers’ data with any third parties? Before you snort ‘of course not’, do you store any of your information in the cloud (DropBox, Google Drive, etc.), or use an online mailing service to send bulk emails (MailChimp, ActiveCampaign)? What about the stuff you hand over to your accountant every month? Because those are third parties you’re sharing your database with. They need to be POPI compliant too.
You need, at all costs, to avoid the Information Regulator – that’s your top goal. Not only will you have to inform your database if you’ve had a breach, but you’ll also have to tell the IR. You could face a stiff fine or jail time if you are found to be negligent, no trifling matter. Bad, bad. This piece of legislation has teeth, so I’d suggest making an effort – and especially because that effort is not rocket science (or grade six music theory – WHICH I PASSED), so as the famous shoe ad says, JUST DO IT.
How does your website fit into the frame? Well, if your website collects any identifiable, personal data from online visitors, you need measures to not fall foul of the dreaded IR. Obvious categories are ecommerce sites, but also websites that require any form of login, such as member sites. If you have an online form, well, you’re going to have to make a plan. And even if your website falls in none of these categories, I’d strongly recommend the practical steps below, anyhow, because some of these measures keep your website safe anyhow and can even improve loading speed.
This is what your website needs to be POPIA compliant:
- Privacy policy: what data you’re collecting, what you intend doing with it and all that fine print.
- Cookie notice and acceptance
- Firewall to prevent website data breaches
- Latest CMS and associated applications
- Valid SSL certificate
Also make sure your hosting provider is POPI compliant.
Need help getting your website in shape, then? I can offer you two options:
- DFY (that’s Done For You):
- I sort you out with EVERYTHING (except the SSL certificate, that’s something extra).
- WebWeaver clients only need the privacy policy and cookie acceptance items (because when you host your website with me you get all kinds of added features and benefits). Contact me for costs.
- DIY – a package of short videos and information booklet on how to sort the steps out yourself. Contact me for more info.
This is important, though:
- This offer is ONLY for sites built with WordPress.
- You’ll need to provide me with the username and login password to access the WordPress dashboard of your site.
- Payment and delivery terms: payment is in advance and upon confirmation of payment, the job will be done within one working day. Hey, I sleep at night.
- For generation of SSL certificates, send me an email so we can take a closer look at your hosting arrangement.
And as promised, let me point you to Peter Carruthers if you want to make sure your whole company is in line with the Act.. He has compiled a FABULOUS POPI compliance course that spells it out in wonderfully plain English, with superbly practical action points and extremely useful resources. You get five lectures to help you get compliant in less than a week, Information Officer Training, Staff Training, document resource pack and more. Find more details here: