South African insights to GDPR and POPI for marketers

Privacy legislation is rolling out across the world, with Europe’s GDPR already rolled out, and South Africa’s POPI on the way. Here’s our take - after research and interviews - on this new legislation, with practical tactics and actionable tips.

Estimated reading time: 4 minutes, 35 seconds.

As you might already know, privacy legislation around databases and data collection policies are being tightened around the globe.

As an inbound marketing agency, we’re passionate about ethical data collection and wanted to update you on our research on this changing legislation.

Recently, EU’s General Data Protection Regulation (GDPR) was released, which will influence some of our clients, while South Africa’s Protection of Personal Information Act (POPIA, more commonly known as POPI) is set to come to life in 2019. Once POPI is implemented, companies have a grace period of one year to get their databases up to scratch, or could face heavy penalties - including jail time and heavy fines - for incorrectly collected and used personal information.

We attended a talk hosted by Everlytic that helped dig into some of the tricky legislation around email marketing, and we explain the relevant sections in this article.

1. GDPR vs POPI 

In Europe, GDPR (General Data Protection Regulation) was implemented on 25 May 2018. The act overlaps with POPI in many ways, and was designed to protect EU citizens and how their data is collected. Says AltAdvisory, “A particularly noteworthy feature of the GDPR is that it applies extraterritorially.  This means that it is not limited in its scope to businesses that are based in the EU; rather, it may also apply to businesses located outside of the EU. In such instances, those businesses will be required to comply with the GDPR, despite not being located within the EU. This is aimed at protecting the rights of EU data subjects, regardless of where and by whom their personal information is being processed.”

To summarise, this affects any South African business that has employees in the EU, or does business with citizens of the EU. Considering the interconnectedness of global business, it is possible that your business interacts with EU citizens and these laws might apply to you.  

ITNews Africa explains this very well in this excerpt:

“Much like South Africa’s Protection of Personal Information (POPI) Act, the GDPR makes organisations accountable for personal data protection. It governs how businesses can collect, process and store information that could lead to the identification of an individual, including names, ID numbers and even IP addresses and location data. Essentially, the GDPR puts the individual at the centre of data protection, giving them the right to know how their personal data is being used, stored, protected, transferred and deleted, as well as the right to be forgotten.

This means that data protection will become a top compliance and strategic priority for companies. It also requires businesses to apply the same level of protection to personal data as they would to any other business asset – if not more.”

Read more on GDPR here or look at HubSpot’s GDPR checklist.

We also recommend you read our blog on how POPI affects your digital database or our POPI Compliance checklist.

2. GDPR basics - does it apply to us?

The main way that we fall into GDPR legislation is because we (might) monitor the behaviour of individuals while they are in the EU. Monitoring is defined as: “tracking individuals in the EU on the internet or elsewhere in order to create a profile of them or to analyse their preferences, behaviour and attitudes.”

3. Important things to note about GDPR

1. GDPR is not about geography (people living in the EU), it's focused on citizenship (EU citizens).
2. Punishments for not being compliant: massive fines, and the threat of having to re-consent your database.
   

4. How to comply to POPI and GDPR

When the legislation is rolled out, we recommend you or your agency taking the following actions on your HubSpot account:

• Turn on the option in your account to alert website visitors that you use cookies on your site and blog. This won’t change your customer and potential customer’s user experience at all, and merely ensures that the data we collect for marketing is compliant.
• Add a disclaimer to all of your forms stating something along the lines of: “By entering your information here you are consenting to receive communication from [company name].”
• Send an email to your current database informing them that you have stored their information, and that they can remove themselves at any time.

Rule of thumb: if people on your database shouldn’t be surprised to hear from you.

New customers

1. OPT IN approach. Example: they must actively tick a box to say ‘yes’, not tick a box to say ‘no’. To explain further, on a form for a content offer, the user must be told EXPLICITLY if signing up for the content offers adds them to a database that means they will receive further communication from us, that is not to do with receiving the content offer.
2. Consent needed PER CHANNEL i.e. sms and email are separate consents (POPI)
3. Consent needed PER PRODUCT i.e. if a potential lead signs up for content on a cellphone contract, they can’t receive information on WiFi.

Existing database

IMPORTANT TO NOTE: YOU ONLY NEED TO GET FURTHER CONSENT IF YOU SAY NO TO ALL OF THESE 4 QUESTIONS (and you need to be able to prove this if you are audited):

1. Did they buy a product and service from you?
   AND
2. Did they know you would send them marketing materials?
   AND
3. Are you marketing the same or similar products to them?
   AND
4. Are they given an opportunity to opt out?

These laws might sound complicated, but it really comes down to this: market as you want to be marketed to.

Subscribe to our blog for more insightful content on the world of marketing and, if you’d like help marketing ethically, get in touch today.