Thought Leadership: Don’t make your data compliance pop – make it POPIA
By Daniel Lotter, Itec SA
Right now, data compliance is top of mind for practically every South African business, and for good reason. The European Union’s GDPR (General Data Protection Regulation) came into force earlier this year, and by this time next year, our own POPIA (Protection of Personal Information Act) will almost certainly be in place.
POPIA is based on the individual’s right to privacy, which is enshrined in our Constitution, and will fundamentally change the way we deal with our customers’ information. How we gather it. How we use it. Most importantly, how we protect it. And frankly, it’s an incredibly exciting opportunity for local businesses to overhaul not only their data policies, but their entire approach to data security, and go beyond mere compliance to create a source of trust and advantage with their customers.
In the past few years, we’ve seen numerous high-profile leaks of customer data. British Airways. Liberty Life. Most recently, Facebook, where we’re told that hackers obtained access tokens for 50 million user accounts. The ramifications of these leaks are terrifying for any business: you can’t tell people you care deeply about their data, which could contain their most personal information, when you weren’t able to keep it safe from prying eyes. The loss of trust is immediate, and devastating.
The costs of data breaches are astronomical. The Ponemon Institute’s research suggests it costs companies an average of $3.62 million per breach across the world. The real cost is that people will leave your customer base because they can’t trust you anymore. Your cost to acquire new customers will double after a data breach.
Unfortunately, no business is safe. It’s no longer a case of if you will be attacked, but when. You’ve got more chance of being a victim of a cyber-attack than you have of getting the ‘flu. That’s why compliance with data protection is not something that we simply leave up to the IT or legal departments. Every department, and individual, in an organisation is responsible. Because, let’s face it, if you’re hacked, you will be held responsible – by government, by regulators, and most importantly, by your customers and the public.
So what do you do? For a start, you work harder to protect your customers’ identities. This probably means your business has to change its approach to customer information as a whole, and it’s a conversation that has to be driven from the top downwards.
You need to educate your people to be POPIA-savvy, and know your responsibilities at every stage of the data journey – collect, store, retrieve, use, retain and destroy. You also need to make people data-savvy: it’s estimated that 25% of data breaches are due to stupidity, like people leaving their computers open or their passwords on a sticky note on their desk.
From a marketing point of view, you’ll have to rethink how you reach new customers. The days of buying a database, and bombarding them with your ads and marketing messages, are long gone. Legally, your T&Cs documents will have to change. You can’t just have catch-all clauses: you actually have to get people’s express consent to gather, and use their data. And if they want to be forgotten, you have to let them go.
The fact that we still have a bit of time before POPIA is implemented means we have some time to start getting our houses in order. If ever there was a time to spring-clean your information, this is it. Ask yourself: What personal information do we hold? How do we get it, and why do we have it? Is the consent we have valid under POPIA?
It sounds like a lot of work. And it is. But the benefits of having a happy customer base that trusts you are too great to ignore.