The POPIA deadline is 1 July 2021 — are you ready?

Protection of Personal Information Act
Protection of Personal Information Act

The POPIA deadline is 1 July 2021 — are you ready?

Data is the lifeblood of your real estate business. From client to employee data, every day you collect, send, and store valuable information. How you process this information is taking centre stage this year. From 1 July, you will need to be fully compliant with the requirements of the Protection of Personal Information Act (POPIA). If you haven’t started, the time to kick-start your POPIA compliance journey is now.

A POPIA refresher

POPIA is a law aimed at protecting people’s personal information. It provides conditions for how public and private bodies can lawfully collect and process personal data. The Act came into effect on 1 July 2020, but gives you a 12-month grace period to get your business aligned to its expectations. You can view the full Act here.

POPIA defines personal information to include (but not limited to) demographic information, client history, contact information, biometric information, personal information, confidential correspondence, online identifiers, and information related to children. If you process any of this data from inside South Africa, POPIA applies to you and you’ll have to comply with the Act’s requirement.

POPIA outlines eight general conditions for the lawful processing of personal information: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

Non-compliance with the law has severe repercussions for your business. These include financial penalties, imprisonment, reputational damage for your brand, a loss of client trust, and can potentially stifle your business’s growth.

In South Africa, cybercrime is on the rise, especially since the introduction of COVID-19 lockdowns. Nearly half (45%) of South African respondents in Mimecast’s State of Email Security 2020 report said ransomware attacks had impacted their organisation. With data loss being a consequence, getting your data protection strategy in order is the way to go.

Steps to take for POPIA compliance

POPIA does not provide real estate businesses with a list of do’s and don’ts when it comes to meeting the requirements of the Act. You will need to tailor your own privacy policies with a data protection expert or specialist. However, here are some general measures you can put in place to meet the eight conditions.

1. Accountability: You will need to ensure information processing measures are met by complying with the Act. This includes appointing or hiring an information officer or a deputy information officer who will bear the sole responsibility to ensure that data collection and storage is undertaken correctly.

You will also need to have a data protection policy in place that details all your personal information policies, procedures, and practices. This shows your commitment to data protection and can cover you if you suffer a data breach.

It is also important to show evidence that staff have been trained and are aware of their duties and responsibilities in terms of the Act.

2. Processing limitation: You will need to process the information lawfully for the minimum purpose required, it must be done consensually, and collected directly from the subject.

To comply, you can add a disclaimer to all your marketing materials and company forms clearly explaining what you are collecting the data for. You can also provide “opt-out” and “unsubscribe” areas on newsletters and other communications.

3. Purpose specification: You will need to explicitly define the specific purpose for the collection of information.

Again, this goes back to having a well-defined data protection policy in place. It’s also helpful to understand where your sources of personal information lie such as your personnel, suppliers, and clients. By doing so, you can take full responsibility and evaluate the needs of this data across your business.

4. Further processing limitation: You must ensure any further processing of personal information is similar to or compatible with the original purpose for which it was collected.

It’s important to create a culture of transparency in your business. The “why” and “how” of data collection use should be made clear to data subjects. Your team should also be well versed in ensuring data is processed in a way that doesn’t infringe on the rights of data subjects.

5. Information quality: You must take reasonable steps to ensure the personal information provided is complete, accurate, not misleading, and updated.

With your CRM, for example, you can do regular clean-ups to keep your data fresh. You can remove unneeded fields and remove contacts who have little activity or invalid contact details. Be sure to document these clean-ups for your data protection policy.

6. Openness: You will need to document all processing operations. This includes notifying the subject when collecting information.

You can create a page on your website explaining what data is collected and how it is used by your business. You should also provide the contact details of your information officer should a data subject wish to enquire further about the process. All data collection processes should be clear about their intentions and uses.

7. Security safeguards: You will need to secure the integrity and confidentiality of personal information.

You can keep data secure by applying software updates, creating strong passwords, and installing the latest firewalls and antivirus software. In the event of a data breach, you will need to communicate this to your data subjects. This can be done through the usual channels such as email, social media, and SMS. Creating templated notifications in advance can help you distribute this message quickly.

8. Data subject participation: You must allow data subjects to access their personal information and provide them with the opportunity to correct or delete any personal information held about them.

Having an information officer who is easily accessible and can communicate directly with data subjects is key. It’s important they can confirm the data subject’s identity, understand where the data subject’s data is stored, have a system such as a form to capture requests, and provide feedback when a request has been attended to successfully.

POPIA compliance for Prop Data clients

To keep our clients on the cutting edge of POPIA compliance, we are making a number of changes to our systems.

EOS website updates:

1. We will update all standard and custom forms to make subscription opt-ins more clear for users and communicate what they can expect following a sign-up. These will include links to your privacy policies.
2. Your standard privacy policies will be updated with information aligned with POPIA requirements. If you have a custom policy on your website, we won't automatically update it unless requested to do so.
3. Unsubscribe links will now point to a new unsubscribe/subscription management page. This provides a double opt-in email and subscription confirmation.
4. Your newsletter subscribers will now receive two subscription management email confirmation emails.
5. Your website will now include a form where clients can request for information held.

PDMS updates:

1. You will have access to a POPIA activation flag which will allow the following:
1.1. Uncheck all communication subscription form opt-ins by default.
1.2. Enforce cookie display notice.
1.3. Force all new form submission opt-in flags to use the new POPIA compliance opt-in.
1.4. You can track which mail list subscribers and email alerts subscribers are non-compliant — this will be reflected in their record status.
1.5. Automatically send out a double opt-in email to manually captured leads/contacts. This will lead them to the opt-in confirmation page to confirm their subscription status.
2. Keep track of all clients who have provided their consent to be part of your leads management system.

HubSpot feed updates:

1. The HubSpot feed will be updated to allow bi-directional synchronisation of consent for your customers between EOS4 or EOS3 and HubSpot.

Prop Data POPIA promo

POPIA’s greatest challenge will be shifting your strategy to comply with its requirements. Thankfully, Prop Data is pushing forward with plans to ensure your digital marketing is aligned with the Act.

In addition to our system changes, we’re also offering a promo campaign to keep your email database intact. Your clients will get an automated email each month from March to June promoting subscription compliance and provide reminders to opt in for further communication. Contact your Account Manager to find out more.