The Costs of Being Compliant- A Huge Additional Burden for Struggling Businesses Post Covid-19

POPIA is rigid with regard to the processing and disseminating of personally identifiable information (PII). The concept in itself might be construed as perplexing to small business owners. However, it simply refers to any information which can be used to identify a specific individual.


The Protection of Personal Information Act 4 of 2013 (POPIA), which came into effect on the 1st of July 2021 has businesses scrambling to ensure that their house is in order amidst the COVID-19 pandemic. POPIA is prescriptive in its requirements as companies big and small are required to process information in a lawful manner. For the ordinary business owner, the process of ensuring compliance is proving to be a daunting undertaking.

POPIA is rigid with regard to the processing and disseminating of personally identifiable information (PII). The concept in itself might be construed as perplexing to small business owners. However, it simply refers to any information which can be used to identify a specific individual. Examples of personally identifiable information include, but may not be limited to, age, identity numbers, gender centred information, telephone numbers, biometric information etc.

POPIA has indeed created a dynamic and significant shift in the online marketing platform as companies can no longer contact clients as they please. A focal point of the Act is explicit and express consent from the individual to whom the PII belongs. Businesses are legally obligated to gain the express consent of customers before using their PII for the purposes of ongoing contact with them and/or sharing marketing information through all forms of communication mediums (Email, Telephone, SMS etc).

For the small business owner, the process of becoming compliant may prove to be intimidating and incredibly overwhelming as larger companies have funds to secure the services of POPIA consultants and attorneys. The following guidelines may prove useful in respect of paving the way for the POPIA compliance journey:

Businesses ought to evaluate the way data is processed within their company, and the platforms that are utilised in their businesses. It is most certainly a great starting point to evaluate and analyse the current systems and tools in place. Business owners must note the way information is collected, stored, disseminated and destroyed. New strategies ought to be implemented to manage the data in terms of POPIA compliance.

Gaining the express consent of clients to process their information as well as to contact them for marketing related purposes is key. If a business website is being utilised it will prove helpful to insert an “opt out/in” tab so that customers have the choice to decline receiving further marketing material and to be contacted in the future (This is also a provision of the Consumer Protection Act (CPA)). It would also be deemed improper to assume that existing clients have given you permission to receive marketing materials. It is indeed best practice to ensure that even for your most supportive and loyal clients, express consent is sought.

Businesses ought to understand the way data is being collected, if it is via the old fashion paper method, ensure that the PII is being stored in a safe and secure space with an access controlled register. Information must at all times be accounted for and protected. If information is being captured electronically ensure that the personally identifiable information is encrypted and password protected. Refrain from forwarding statements to clients without encrypting their personal information. Store passwords in a safe, reliable and secured place.

Do not collect unnecessary information. As a rule of thumb, the PII, which you obtain from your client, must be relevant to the intended purpose of their interaction with your business. Once the information is no longer useful and the purpose of your interaction has expired, it is advisable unless otherwise indicated by law that PII be destroyed in a “manner that prevents its reconstruction in an intelligible form.” This is to ensure that the information is not unlawfully obtained, and the right to privacy as enshrined by section 14 of the Constitution of the Republic of South Africa is respected.

If businesses utilise a social media platform, they must be mindful as to what information is shared. If you are posting pictures of your client with your products, or an item with their PII on it, be sure to get your clients express consent. Not only does it display courteous and ethical business practice, but also you can be rest assured that you are in compliance with POPIA. Compliance is key and perusing the POPIA as well as having a copy on hand could prove to be useful as non-compliance offers severe penalties and possibly even a prison sentence.

The Companies Act of 2008 has also placed a significant amount of pressure on business practices. Businesses are required to comply with best practises at all times in terms of ethical processes, ethical marketing and ethical products. Customers are indeed very sensitive to ethics in business and will support only those businesses that are deemed transparent. Thus, businesses have been forced to adopt a changed focus in respect of the ethical aspects of the organisation’s business practices. Triple bottom line, corporate governance, corporate social responsibility and broad- based black economic empowerment (BBBEE) indicate a major change from the belief in previous eras that organisations are only in existence to make profits
The CPA, a dynamite and transformational piece of legislation, protects consumers in South Africa. Consumers have gained monumental rights and considering the proliferation of hacking and data-hijacking, it is an absolute requirement.

In the past, businesses derived substantial benefits from using standardised terms and they generally adopted a “take-it- or leave-it” stance if asked by the customer to make changes to the terms and conditions. The CPA now gives the consumer the right to restrict unwanted marketing via email, SMS or telephone. Businesses are now forced to put measures in place to record their existing or potential customers’ preferences in terms of what they are prepared to receive and when. The CPA enables consumers to pre-emptively block any direct marketing attempts, whether this is by email, phone or printed material in the post. The consumer must first be informed that a company wants to market to them directly and provide consent to do so. Additionally, to ensure CPA compliance retailers now have had to put the following measures in place: “consumer education”, “employee training”, “emergency funds”, “purchasing of insurance”, “customer consultants”, “quality-assurance”, “refunds”, and “replacement and compensation for defective products”.

Retailers have been forced to re-examine their institutional rules and the terms and conditions of their agreements, at their own cost. They have also been forced to examine the implications of breaches of contract, as well as penalties imposed on the consumer. From a communications perspective, retailers are required to pay more attention to their business and legal documents to ensure that they are readable and easy to comprehend. This may entail additional staff to manage these tasks. The retailer is obliged to inform and educate a disadvantaged customer and to take responsibility for ensuring that they comply with the plain language requirements. Marketing and communication policies are mandatory in businesses to ensure that marketing and communication strategies embrace simplified communication to ensure that the ordinary consumer with average literacy skills understands a contract and its obligations. It is the social responsibility of retailers to ensure that they carry out good business practices. Retailers are also required to adhere to the following:

  • Labelling and trade descriptions of products should not be misleading;
  • A notice should be displayed to inform customers about “grey” or re-conditioned goods;
  • Contact information should be disclosed when supplying products via catalogue marketing;
  • A “cooling-off period” should be included in direct marketing transactions and this period usually spans five business days;
  • A returns process should be in place, within fifteen business days of receiving the cancellation notice from customers;
  • Customers should be afforded an opportunity to examine goods purchased or delivered;
  • Repair defective goods, ensure good quality of goods and services and refund or replace damaged or defective items;
  • Clearly specify the duration of any promotions in catalogues or brochures; and
  • Refrain from any further communication if the consumer has requested to be unsubscribed from the mailing list. The privacy of the consumer will have to be respected.

All of the above aspects that have been highlighted entail additional costs for the business owner. As customers opt out of their marketing and sales databases and these databases continue to shrink, retailers will have to constantly look for other alternative means of promoting their products.

It is important to consider sociological jurisprudence and to stay abreast with how the law influences businesses and the consumer. The CPA cannot function without anyone transacting. Leading private higher education institute, MANCOSA, offers a Post Graduate Diploma in Business Management as well as a Law qualification in Paralegal studies. Whether you are contemplating starting a small business entity on a part-time basis or whether you wish to be a hands-on, full-time entrepreneur, MANCOSA’s accredited Higher Certificates, diploma’s and degrees will provide the requisite grounding to positively shape your business trajectory.

Disclaimer: The content as stated herein is for guidance purposes only. It is not a prescriptive indicator or checklist in managing data protection and privacy, and in no way must be misconstrued as legal or other professional advice.