The POPI Act is set to impact your real estate agency
Over the years, your real estate agency has gathered client data. How you collect, store, and disseminate this information has taken the spotlight. South Africa’s Protection of Personal Information (POPI) Act protects the personal information of its citizens - and it’s now in effect from 1 July 2020.
You have a 12-month grace period before compliance with the POPI Act becomes mandatory. While non-compliance can mean substantial fines and even imprisonment, real estate agencies should embrace the positives of the POPI Act. It’s an opportunity to get your ducks in a row.
What is the POPI Act?
If you’ve received an unsolicited SMS or promo email, you know how intrusive it can be. There’s been a strong call from consumers against these marketing practices. The POPI Act or POPIA was formed to protect South Africans' right to privacy. This includes the right to protection against the unlawful collection, retention, dissemination, and use of personal information.
The POPI Act defines “personal information” as that relating to an identifiable, living, natural person or where applicable, an identifiable, existing juristic person. Here are examples of personal information your real estate business may be collecting:
- Demographic information: this includes age; gender, race; marital status; national, ethnic, or social origin; language; and the birth of the person.
- Client history: this includes details about their education, medical, financial, criminal, or employment history.
- Contact information: any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignments to the person.
- Biometric information: such as a fingerprint or facial pattern.
- Opinions: this includes the personal opinions, views, or preferences of the person - consider your testimonials or reviews.
- Private correspondence: this is correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
If you process personal data from inside South Africa, POPI applies to you and you’ll have to comply with the Act’s requirement. The POPI Act legislature describes personal information and the processing of data in greater detail. You can read it here: download the Act.
Why does the POPI Act matter?
The POPI Act’s importance is twofold. For South African citizens, the Act strengthens their personal information protection rights. They’ll know when their personal information will be collected and have the ability to agree or decline the collection. They’ll be able to request if you have collected their information and have this information edited or deleted from your database.
For your real estate business, you’ll need to put into place measures for proper collection and protecting the information you collect. You could be in hot water if you don’t comply with the Act, with financial penalties reaching as high as R10 million and a 10-year jail sentence. Your brand reputation could also be tarnished if you suffer a data breach as this will be made public.
Remember, as cybercrime increases, data breaches are becoming more common and increasingly costly. A study by IBM Security found that data breach incidents cost South African companies R40.2 million per breach on average among organisations studied. Being POPI compliant means being data smart. This will benefit your business in the long run.
What POPIA requires from your business
Under the POPI Act, you’ll still be able to collect information from your current and potential clients. It doesn’t seek to restrict your business endeavours. Instead, it puts in place clear guidelines your real estate business will need to follow.
POPIA provides eight conditions for lawful processing of data in South Africa:
1. Accountability: you’ll need to ensure information processing measures are met by complying with the Act.
2. Processing limitation: you’ll need to process the information lawfully for the minimum purpose required, it must be done consensually, and collected directly from the subject.
3. Purpose specification: you’ll need to explicitly define the specific purpose for the collection of information.
4. Further processing limitation: any additional processing of information must be compatible with the purpose of collection.
5. Information quality: you’ll need to take steps to ensure the personal information provided is complete, accurate, not misleading, and updated.
6. Openness: you’ll need to document all processing operations. This includes notifying the subject when collecting information.
7. Security safeguards: you’ll need to secure the integrity and confidentiality of personal information.
8. Data subject participation: you’ll need to ensure that the data subject can exercise their rights to access, correct, and delete their data.
Meeting these conditions can seem overwhelming. You have time and with a careful plan of action, you can get your business ready.
Steps to take to get POPIA compliant
Here are some practical ways to get started.
- Get the ball rolling: create a plan of action to start getting POPIA compliant.
- Get your team ready: relevant members of your real estate agency, marketing team, and suppliers should all be familiar with the Act and its requirements. You may also need to train your staff so they can ensure compliance with the Act.
- Evaluate your operations: you need to know what personal information you collect, from whom, and how it is stored.
- Appoint an Information Officer: the Information Officer is a role within your business required by the Act. This team member has a range of responsibilities including encouraging compliance, dealing with requests made to your company related to the Act, and working with the Act’s Regulator.
- Make your operations compliant: after spotting gaps that are not compatible with the Act, you should work on rectifying them.
Prop Data’s response to POPIA
Prop Data understands that our clients will be looking to get POPIA compliant ASAP. Next month, we will launch a drip campaign solution to your existing database looking to get POPIA compliant. They will be provided with an opt-in between now and when the Act will be enforceable by the end of June next year. Please contact your Account Manager for more information about our upcoming promo.
The POPIA clock is ticking
Protection of personal information is a serious issue and your company should make the move to comply with the Act. The risks and penalties attached to avoiding compliance are real and can be damaging to your business. The steps you take now can make 2021 much easier for your operations.