POPI Act in the payment collection industry
POPI Act in relation to payment collection
The Protection of Personal Information Act No.4 of 2013 (POPI) introduced the legal protection framework for individuals and entities involved the collection and distribution of personal information.
This Act sets out the requirements for how information can be processed and compliance to these procedures in a variety of industries, including the payment and debit order collections industry.
The POPI Act has been formally signed into law in November 2013 and organisations who store personal information about any individuals will be subjected to the regulations set out in this Act and will only have one year from the legal introduction to comply.
If the Act is implemented in the business processes of organisations in South Africa today, it might be fully compliant by the time this Act comes in full swing.
The Act also requires that organisations need to establish appropriate policies and procedures to protect the personal data of their clients as part of their business operations.
The payment and more specifically the debit order collection industry has long implemented privacy policies and procedures before the POPI Act was a consideration.
Information stored and obtained from individuals or organisations are protected and treated with the utmost confidentiality in the payment collection industry and therefore we also strive to uphold our status by complying with the POPI Act introduced in November 2013.
The POPI Act really has an effect on any organisation that processes personal information and the key role-players tasked with the POPI Act are:
- Directors, both executive and non-executive are tasked to discharge their legal and fiscal duties to direct the organisation.
- Auditors and assurance providers should audit and provide assurance relating to privacy.
- Risk managers that should manage the privacy risks of individuals and the organisation.
- Compliance officers must ensure that the organisation effectively complies with privacy laws.
- Legal advisers must provide legal advice in relation to privacy of personal information.
- Credit managers that should ensure that personal information of third parties are protected.
- Human resource managers that should ensure that the personal information of employees are protected.
- Marketing managers, especially in the direct marketing fields should market in accordance with the regulations set out in this Act.
Companies in the Financial Services, Banking, Marketing, Insurance and Healthcare industries will be most affected by this Act.
So, what can happen when an organisation does not comply?
- Reputational damage.
- Inability to retain clients or attract new ones due to a loss of trust.
- Penalties and sanctions, which may include civil and criminal action.
Organisations should generally consider the following regarding the POPI Act to ensure that they are within the parameters of the Act:
- Firstly, reading the Protection of Personal Information Act No.4 of 2013.
- The types of personal information the organisation or industry process and how this complies with the requirements set out in the Act.
- Limitations in place on who has access to certain information and the systems of the organisation.
- Ensuring that computers and mobile devices are encrypted with passwords.
- The premises where you store the personal information. There should be security measures in place such as access control and alarm systems.
- Personal information that gets processed on your behalf by various service providers, make sure that they are complying with the POPI Act.
- Lastly, financial losses, especially losses arising from the breach of processing personal information by your organisation.
Adherence to the POPI Act might seem like an impossible task, but with a few easy steps your organisation can comply before the cut-off date November this year.
Completing the following easy steps will get you well on your way to compliance:
- Establish the personal information present in your organisation by conducting an audit. This will include names, surnames, addresses, identity numbers, bank account details and credit history of each individual.
- Keep all of the information stored by your organisation up to date. Policies and procedures should be implemented to ensure that the correct personal information is in the database.
- Evaluate the relevance of information kept by your organisation. Understand why certain information is kept and whether it’s really necessary as it might pose a risk for identity theft.
- Ensure that your organisation has consent from the individual to obtain and store his/her information.
- Evaluate the safeguards in place and whether they are adequate to secure the personal information that you have in your possession.
- Restrict access to personal information and make sure that the organisation is aware who has access to what information.
- Draft a Privacy Policy to promote the protection of personal information within the organisation. Also, provide training and make employees aware of this policy to ensure data security.
- Communicate the implementation of the POPI Act to individuals or entities of whom you have personal information by:
- Informing them that they are in your database.
- Providing them with the benefits of remaining in your database.
- Giving details on the communications they will be receiving from your organisation and how often they can expect to receive this information.
- Providing them with transparency regarding the sharing of their information by informing them with whom their information will be shared and why.
- Publishing the privacy policy implemented by your organisation to make them aware of the seriousness of this matter.
- Giving them the option to opt in to remain on your database by agreeing to the terms and conditions regarding the privacy policy.
- Storing proof of the set out opt in option they have selected.
Direct Debit and the POPI Act
The POPI Act essentially regulates how personal information should be processed and the security of organisations who store the personal information.
The payment and debit order processing industry also have to adhere to the new POPI Act and Direct Debit does this by protecting clients personal information using secure (PCI Level 1 Compliant) networks and servers to store and encrypt client information.
Clients’ information is kept up to date at Direct Debit as we send out notifications to remind clients to keep us informed of possible changes on a regular basis.
Direct Debit discards of the information of prospective clients who are not accepted via the debit order application process. There is no need to keep information of prospective clients who fail to become successful applicants.
Employees of Direct Debit strive for excellence at all times and this includes adhering to the privacy policies of the organisation as well as the newly drafted POPI Act.
Direct Debit is a custodian of the POPI Act and we’ve adapted our systems and procedures to adhere to this Act before the initiation in November.
Get a quote for your business