Popia Declaration
POPI AND DMASA
Introduction to POPI and the DMASA Code of Ethics and Best Practice
Identity theft, a hacked bank account and privacy violations – if your or your customers’ personal information isn’t handled correctly, the consequences can be dire.
As an affiliate advertiser, it’s important to be well acquainted with the legislation and best practices involved regarding the handling of personal information in South Africa.
The purpose of this article is to introduce and familiarise you with POPI and the DMASA Code of Ethics and Best Practice. It offers a broad overview and does not serve as legal advice.
What is POPI?
POPI (also known as POPIA) stands for the Protection of Personal Information Act. It’s a legislation that was created to protect personal information. This legislation sets conditions for the lawful processing of personal information. It also regulates the manner in which personal information is processed.
Who needs to comply with POPI?
If you collect, store, use or process personal information, you must comply with the POPI act. The marketing industry is one of several industries that will be most affected by POPI.
When should I be ready to comply?
The act was signed into law in November 2013. The commencement date still needs to be confirmed, but it’s estimated to be between the first week of April 2018 and 1 December 2018. Once the enforcement date has been announced by the President of South Africa, a 12 month transition period will be given to ensure that all relevant parties are ready to comply.
How will it affect my company?
It’s compulsory for every company to appoint an Information Officer. If an Information Officer hasn’t been appointed, the CEO will carry the responsibility.
What are the conditions?
There are eight conditions present in the POPI Act that guides the lawful processing of personal information. We’ve described each condition broadly below:
- Accountability
The responsibility for compliance lies with you or your organisation. - Processing limitation
Personal information should be processed lawfully and only the necessary information should be processed. If an individual objects, then you may not process their personal information any further. An individual can also withdraw their consent at any time. - Purpose specification
Personal information must only be collected for a specific function and the individual needs to be aware that their information has been collected. - Further processing limitation
Personal data cannot be used for other purposes than it was initially intended for. - Information quality
You need to ensure that the information collected is accurate. - Openness
The individual needs to be aware that you’re collecting their personal information. - Security Safeguards
It’s your responsibility to keep all the personal information you’ve collected safe. - Data subject participation
Individuals can ask you to confirm, free of charge, if you hold personal information about them. They can also ask you to correct or remove information.
What happens if I don’t comply?
If an individual’s information has been compromised, they may lodge a complaint with the Information Regulator. The Information Regulator can hold guilty parties accountable for non-compliance. This can result in a hefty fine or imprisonment.
Who is the DMASA?
The Direct Marketing Association of SA (DMASA) is an independent body set up and paid for by companies in the direct marketing industry. The DMASA Code of Ethics and Best Practice lists the criteria for professional conduct. It covers the overarching ethical principles of marketing and universal marketing practices. It’s also fully compliant with all laws related to the industry.
It is not compulsory to join the DMASA and applying its regulations is voluntary. However, the DMASA believes that the voluntary application of the professional regulations can “ensure the elimination of dubious practices more speedily and less costly than government legislation.” It also sets out to maintain the standard of good and honest business practices.
When joining the DMASA, companies sign an acknowledgement of compliance, after which they are responsible for observing the Code. If the DMASA receives a consumer complaint in the event of a violation of the Code, the DMASA will contact the organisation in question to pursue international mediation procedures or further steps.
You can download a copy of the DMASA Code of Ethics and Best Practice here for more information.