Exactly what South African Online Sellers need to do to comply with POPI (easy checklist) 

8 min read.....

The POPI act comes into full force for South Africans on the 1 July 2021. If you are an online seller and have an ecommerce website you risk hefty fines if you are not POPI compliant. The good news is that it is not that hard to be compliant. 

Quick disclaimer. We are not lawyers and the content in this blog is for information purposes only. We have discussed this topic with our lawyers and done a deep dive into the what's available on the web in order to bring you this over view of POPI and how to comply. Please always check with your lawyer to be sure you are POPI compliant.

What is POPI?

POPI is a piece of legislation aimed at governing how our personal information is collected, stored and used by others. It's is there to protect our privacy and give us a course of action if we feel our privacy is being violated. In real terms it means we can do something about receiving spam emails or that annoying call selling you life insurance as you are about to sit down for dinner!

How does this affect me as an online seller?

If you sell goods and services online, you need to collect personal information from your customers in order to be able to deliver the product or provide the service. Even if you are not selling something and only asking someone to subscribe to your email list, you are still collecting personal information. The moment you do so, you need to be comply with the POPI act. If you don't you could be on the wrong side of some very heavy fines, potentially into the millions of rands, 

What is considered personal information?

It's critical to understand what is personal information so that you can know what falls under the POPI act and what does not. 

Quick side note: POPI and personal information applies to real living breathing people as well as juristic people. That's a fancy way of saying that companies, CC's, trusts, partnerships and the like are also considered people as far as the act is concerned. 

Back to the question. Personal information is any information that can be used to identify a person and that gives deeper insight into their private lives. For example, if you sell T shirts, you will need a name, address and contact information. It's pretty that this is personal information, but you would also need their T shirt size which be considered personal information as well. 

Other examples are

• First Name
• Surname
• Contact numbers
• Email addresses
• Age
• Gender
• Addresses
• Company name and address
• Company registration details
• Financial information
• Medical information

Applying a little bit of common sense makes it pretty obvious what is considered personal information. 

Am I not allowed to collect personal information anymore?

Not at all. It is still completely legal to collect personal information. As online sellers we need to be able to collect personal information so we can provide goods and services. The critical aspect of POPI compliance is around how we tell our prospects and customers what we information we need and why, and then how we use and safeguard their information. 

What do I need to do to comply with POPI as an online business?

1. Communicate

Whenever you collect personal information from someone you need to tell them

• What information you are collecting
• Why you need the information
• How the information will be used
• Who is taking responsibility for their information
• How they can confirm the data accuracy
• How they can edit their data
• How they can request their personal information be deleted
• Who will have access to their information (couriers, mailchimp etc)
• How to complain if their personal information is misused. 

2. Use your website privacy policy wisely...

The trick here is you need to share all this information with them and get their consent before you can collect any personal information.

That is pretty easy to do. All you need is the correctly worded privacy policy published on your site. Then a check box on every form that you use to collect data. They can then check the box to say they are aware and agree to your privacy policy. The privacy policy does all the heavy lifting for you. 

You will want to include in the wording alongside the check box what it means if they do not give you consent to collect their personal information. For example, if they won't give you consent to ask and store their T shirt size then you can't send them the T shirt they want to purchase.

3. Have offsite agreements for customers and service provider partners

Not everyone your business will deal with will come via your website. This means not everyone will have the opportunity to read your privacy policy and provide their consent. So have other means to share your privacy policy and get consent. I suggest a dedicated page and form on your website. That way you can send them the link and get their consent. 

You will also need agreements in place with any service providers of yours that will need access to your customer's personal information. You could be held liable if, for example, you share personal information with a courier and then that courier sends marketing information to your customer. These agreements should be inline with your privacy policy. 

4. Have Internal Policies with staff and consultants

It's important that internally your team is acting in accordance with your privacy policy. It's not much good having the best privacy policy around but then carrying on as if it did not exist. You need to ensure your staff are aware and have agreed to the terms laid out in your privacy policy. This would apply equally to anyone else who may have access to customer personal information. A common situation maybe 3rd party consultants or agencies. 

5. Register a company information officer

POPI says that someone at your company needs to take on the role of the company information officer. This is the person who assumes responsibility for the companies compliance with POPI and for the correct management of personal information. This lucky person needs to register with the information regulator. This does default to the head of your business if you do not register someone else. 

All you need to do is complete a registration form on the information regulator's portal here. 

POPI Compliance Checklist

If you would like a PDF copy of the checklist to print out and work through then leave your email address below and I will happily email you a copy. 

Summary

The POPI act is a good thing. For too long business and marketers have played fast and loose with our personal information. It has meant we have lost trust and we default to a defensive position in any sales situation. Now with POPI in place we will hopefully see more respect of personal privacy. I foresee this creating a better situation where honest companies that respect their prospects and customers personal information being able to step ahead in the marketing game. 

All we need to do is be honest and transparent about what we information we collect and why. And take reasonable steps to keep that information safe.