POPI Act

POPI Act compliance – three words causing an uproar in the industry. Event planners rely on a myriad of information in order to do their job properly – but adhering to POPI Act compliance is set to change the way we collect, store and manage this data. If you haven’t put protocols in place to ensure that you’re abiding by the law, here’s why can’t afford to turn a blind eye:

1. POPI Act compliance affects the way you store and collect all guest data

From guest lists to emails to RFPs – all content that contains the personal information of clients and guests needs to comply with the requirements of the Act. Implemented in order to protect the privacy of individuals, the onus is on event companies to make sure that they’re doing the best they can to secure any and all of the personal details they’re privy to.

2. Protecting your clients’ information involves far more than keeping guest lists secure

What many people don’t realise is that POPI Act compliance requires daily actions on the part of anyone who is privy to personal information. This includes data contained in job applications, email correspondence, employee details and guest profiles. POPI Act compliance isn’t just a once off – you need to approach all content that contains private information with care.

3. All content management systems – including laptops, intranets and software must be password protected

Leaving your laptop open while you pop out for lunch can result in far more dire consequences than someone changing your Facebook status. Make sure that you’re doing everything in your power to secure private information. This includes: all contact details, demographic information, employment and medical history, education, criminal records, private correspondence and importantly any personal opinions about the person in question.

4. POPI Act compliance requires that you notify the individual in question about any processing of their personal details

One of the Act’s stipulations is that besides ensuring the integrity and safety of personal information, companies are required to notify the individuals (known as the ‘data subject’) in question as to what data they have on file and then their intended use of the information. Importantly – and what many people don’t know – is that it’s also their responsibility to communicate the fact that they have securely stored this information, verify whether this data was given voluntarily and then ask the subject how long they’re able to keep it for.

5. POPI Act compliance relies on the use of software that can securely store data

All of your efforts to comply with the Act will be in vain if you’re not making use of event management software that’s also POPI Act compliant. Claiming ignorance is moot in the eyes of the law, which means that you need to ensure that programs you use are following POPI protocol. The protection of personal information will only become more and more important – to your guests and clients alike – which is why you need to be able to demonstrate that you’re adhering to POPI requirements. Failing to do so has severe ramifications, and besides possible jail time or a hefty fine, it’ll cost you your clients and reputation too.

Event compliance entails a multitude of considerations. Collaborate with us to make sure your events are on the right side of the law.

On the 27th November 2013, President Jacob Zuma signed the Protection of Personal Information (POPI) Act into law. With such a broad scope, the POPI Act will affect almost every business in the country – especially companies planning events, which involve the storage of personal information of hundreds of guests. The ramifications of not protecting sensitive information stringently enough was demonstrated by the recent Ashley Madison debacle, where millions of members had their cardholder data breached.

The Act affects the processing of any kind of personal information of “identifiable, natural, living person[s] and juristic person[s] (companies, CCs, etc”, including contact details, demographic information, medical and employment records and even personal correspondance. After a commencement date is set, businesses will have one year to become fully compliant with the Act.

Millions of Ashley Madison’s users had their person information leaked

In July this year, dating website Ashley Madison (made famous by the fact that it facilitates extramarital affairs) was hacked by a group calling themselves The Impact Group. Millions of users’ account information was stolen and later leaked. The aim of the breach was to try and force the dating website’s parent company Avid Life Media (ALM) to shut down after The Impact Group accused ALM and its members of “fraud, deceit, and stupidity”.

Enforcing strict data processing policies could have avoided the data breach

The reason this hack was possible in the first place was due to ALM’s policy of storing users’ real names, email addresses, real addresses and credit card transactions indefinitely. If a user wants their account deleted, they must pay the equivalent of R253 – and even after the account has been deleted the company still keeps their data. The data leak that occurred on the 18th and 20th of August proved this. According to the technology blog The Verge, the company made R2.3 million in 2014 from this erroneous delete option.

Complying with the act will benefit your organisation in the long term

The Ashley Madison data leak didn’t only create bad press for the company – it had terrible implications for its users. The risk of data breaches – including fines, legal issues and damage to your company’s image – is reduced by complying with the POPI Act. Complying with the act demonstrates you operate with complete transparency, instilling greater confidence in your customers and stakeholders. By complying with POPI you’ll be only be storing data you absolutely need and destroying that which you don’t. This will help improve the integrity of your databases.

How you comply with POPI depends on the nature of your organisation

There are different requirements for complying with the POPI Act depending on the nature of your organisation. Even though your company might operate in a highly regulated environment and comply with other regulations relating to protecting sensitive personal information, it might not satisfy all the POPI Act criteria. You will still be required to comply with the POPI Act in full.

Prepare to become POPI Act compliant sooner rather than later

Many firms underestimate the amount of work required to become POPI Act compliant. While in South Africa we are still awaiting confirmation for the date that the POPI Act will come into effect, companies would do well to begin working towards becoming compliant with the act. The Ashley Madison fiasco is one of the worse potential scenarios that can ensue from failing to protect personal information.

 POPI Act compliance is an important part of event planning

Planning an event involves pooling as much information about your guests’ and their preferences as possible. You do this to ensure you create an event that both resonates with them and achieves your marketing objectives. Even basic information like names, email addresses, dietary requirements and spouse names needs to be protected and processed in line with POPI requirements. By using corporate event planning software that’s POPI Act compliant, you can rest assured that any data you manage with it complies with the act.

For more information about how POPI compliant corporate event planning software can help you avoid the nightmare of not processing and protecting sensitive information securely.