The main substance of the Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on 1 July 2020.

POPIA now places various obligations, and consequences for breaching such obligations, on various role players that deal with personal information. Briefly the key sections which are now in force include:

  • 8 conditions for lawful processing of personal information;
  • regulation of the processing of special personal information (a special category of personal information with a higher degree of protection given its highly sensitive nature);
  • power of the Information Regulator to issue codes of conduct which will regulate specific industries and their management of personal information;
  • procedure to deal with complaints; and
  • regulation and procedure for dealing with direct marketing by means of unsolicited electronic communications, directories and automated decision making.
As a starting point it is important for any organisation, including those in the insurance industry, to ask questions along the lines of, what information does it have? what information does it need? where is the information coming in? where is it going out? what information is required by law to be kept? and who has access to this information? What this does, is allows an organisation to understand where any gaps lie in their systems when it comes to protecting personal information.

The insurance industry uses data for a variety of business objectives namely to understand clients and their behaviours and to improve and develop new products. The insurance industry is also extremely interconnected involving various business relationships, which sometimes result in cross border transactions, where the EU General Data Protection Regulation (GDPR) will be applicable, in addition to POPIA. As such, asking the above questions to determine the extent of information, and the flow of information, is of importance.

Organisations will need to identify and remain aware of the key areas in which it collects and processes data, internally and externally. Internal collection of data will be in relation to its employees – employment agreements, CCTV surveillance, photographs, videos. External collection of data will be in relation to its clients, customers, and service providers – contracts, online contact forms, direct marketing, databases. The changes that need to be made are not hugely onerous. After conducting a POPIA risk assessment the main changes could include drafting and implementing relevant policies (namely, employee privacy policy, website privacy policy, security compromise and response plan policy,CCTV policy, cookie policy, password policy), establishing appropriate controls and processes and ensuring compliance with same, updating contracts to include POPIA clauses, appointing an information officer (default position is the CEO) and conducting ongoing awareness training and monitoring. By ensuring that the legal obligations imposed by POPIA are understood the POPIA compliance process and implementation should run smoothly.

Also, of importance in the insurance industry is the section dealing with direct marketing. If an organisation intends to market its products by way of email, automatic calling machines, SMS or the like, unless the data subject is already a customer of the organisation, the voluntary, specific and informed consent of the data subject is required. Implied consent is not allowed. What this means is that the ‘opt-out’ approach to direct marketing can no longer be used, unless you are an existing customer, and a type of ‘opt-in’ approach needs to be used as consent must be obtained prior to marketing. Although there has been no mention of prohibiting the purchasing of databases, the processing and utilisation of such databases for example, conducting market research or selling products via direct marketing, needs to be done in accordance with the conditions of lawful processing and requirements for direct marketing.

There are always challenges when it comes to change, therefore ensuring compliance with POPIA may result in some bumps in the road but this is nothing new to organisations in the insurance industry as they are used to an ever-changing regulatory environment, given the highly regulated nature of the financial services sector. As mentioned above, the insurance industry utilises personal data in a variety of ways to gain abetter understanding of its clients, from direct marketing, online contact forms, to using interconnected relationships with other organisations in the industry. This may see the industry facing several challenges in the implementation of POPIA so it is vital for organisations to ensure POPIA compliance sooner rather than later and it may be good idea for organisations to invest in the assistance of a POPIA expert in this regard.

POPIA has been around for many years and it would be surprising if organisations have not, to some extent, recognised the general nature and impact of it on its business operations. Organisations which deal incross-border transactions, should already be up to date with GDPR, which POPIA has largely been modelled on.

Organisations still have a year to be compliant with POPIA, which is enough time to get your ducks in a row however time is ticking over. Although some organisations may have in the past thought that POPIA is a nice to have, it now creates the connection of trust between an organisation and its employees, clients, customers and suppliers, and in the event of a data breach the financial and reputational loss could be overwhelming.

Leave a Reply