Making sure your business has an online presence and connecting with virtual customers is more important than ever. At the very least, make sure that you don't make these common mistakes when attempting to be compliant with the POPI
We are yet to see any convictions for failing to comply with POPI in South Africa, but if POPI’s European counterpart, GDPR is anything to go by, being caught unaware is no joke. A few memorable fines thus far include Google’s €50 million mistake for running a single personalised advert without prior consent from its users and Facebook’s £500,000 fine for the misuse of your data in 2016.
This is a blog that refers to the 5 most common mistakes made by South African online businesses. To create your own customisable Website Privacy Policy feel free to visit our shop
With parts of POPI only becoming operative in 2020, it is equally fitting as it may be problematic for South African businesses. Never before has it been this important for all South African businesses to have an online presence and protect your data but, never before has it been this treacherous. Running an online business almost always collects some form of customer or user data. Whether it be for a simple newsletter, a competition form or saving customers login data, you now have a serious legal responsibility to make sure that all of your users are aware of what you are doing, why you are doing it and that you are taking the correct measures to protect their data.
Failure to do so and not complying with the POPI Act will now result in exorbitant fines and jail time for some. And something you won’t read online and what I am here to tell you is that pleading naivety if you are found to be compliant, will not help you in any way. So here are the 5 most common mistakes we frequently witness South African businesses making and how to learn from them;
1. Making no effort to be compliant
It seems obvious, but something we see far too regularly is South African companies and freelancers which make zero effort to comply with the POPI Act when operating their businesses online. It is glaringly obvious to anyone familiar with the online world (let alone authorities) when websites have no links on their website to a Privacy Policy yet, require your information to operate their business. An online business rarely collects no user data at all. Cookies, comments, email newsletters and “contact us” forms are all points of data collection that you should be aware of. If your business is online, you should be asking yourself two vital questions; “do I collect any fraction of user data?” and “how do I become compliant and maintain my compliance if I do?”.
Checkout : Service Level Agreement Template South Africa
2. Becoming superficially compliant
The next step often taken by online South African ventures, is to become compliant for the sake of being compliant- with the minimal amount of effort required. It makes sense that, particularly when starting a business, you focus on the core aspects required to make money and often require a quick-fix for decidedly less important services. A website Privacy Policy seems like something far too many businesses deem to be unnecessary or just a box which requires ticking. What your privacy policy covers should be as unique as the products you sell. Generic privacy policy templates may offer a quick solution to appear to comply with POPI but, if you read the document and there are any clauses which do not cover your online business completely, it is your responsibility to redraft the document. Not doing so and presenting an incorrect document to your users means that you are knowingly not complying with the POPI Act and can potentially damage both your business’s image as well as your bank balance.
3. Becoming compliant once and once only
Drafting a comprehensive Privacy Policy and ensuring that you have taken all the correct steps to comply with POPI is sometimes a massive undertaking and the very first thing businesses do when setting up their online presence. It is correct to be legally compliant before going online but, a lot of South African businesses that were in their ‘start-up’ phase have since taken on a whole new life of their own. A small online website can quickly grow to become a webshop, blog and support page with four different domains and entirely different uses of data collection. What we witness is, businesses remembering the effort required to draft their legal documents and believing that for the investment, the documents should be comprehensive enough to cover almost anything for their business. And that is the issue. A well written Privacy Policy, for example, will cover almost anything but as soon as a business gears up and diversifies, making small edits to a legal document and recycling it time and time again increases the likelihood of the document being error-prone and your business becoming non-compliant. What South African online businesses should be aiming to achieve is being legally proactive and remaining compliant as their business ventures change- not recycling unrelated documents.
4. Being compliant but not making your documents readable
Having a professionally-drafted comprehensive privacy policy in place should be one of the very first steps every business should take when operating online. It should contain an up-to-date list of all your practices with regards to any personal user data– collection, processing and storage, as well as provide a transparent overview of what you intend to do with the data.
You have 12 months from when POPI was officially enacted on the 1st of July 2020 to become compliant. Failure to do so by the deadline could result in a maximum of 10 years in prison or being charged with a R10 million fine by South Africa’s Information Regulator.
An unfortunate mistake we commonly see, however, is websites which make the document difficult to find, present the document in using jargon that makes it difficult to understand and have an English-only version on websites with different available language options. All your website’s legal documents need to be easily accessible (not just a single link on your homepage), and available in all languages your website is available in. They should be presented in easily understandable text, as the end goal is to provide all the relevant information required to be POPI complaint, in a simple and accessible way.
Also Read: Non Disclosure Agreement Template
5. Believing that becoming fully POPI compliant is difficult
There is currently a notion amongst South African businesses that acquiring comprehensive online legal documents may take days to complete and involves inevitable legal fees. So, many fall into the trap of using non-compliant generic templates or re-using older versions of legally drafted versions. This notion is entirely incorrect and there is a wealth of information and various services available to support South African online businesses who are ready to become POPI compliant.
We understand though, that this learning curve requires some time. Something South African business owners and freelancers do not have a lot of. So, to make your life somewhat easier and to ensure that you can remain both GDPR and POPI Act compliant, we have created an automated, customisable Privacy Policy. You can make use of our leading contract automation engine to enter your website’s information and customise a professionally drafted Privacy Policy. The process takes a few minutes and along with an available working guide, you can quickly create and re-create your website’s legal documents- keeping you and your users’ informed about what exactly you do with their data at all times.
