PoPIA and Business Risks

Data protection and privacy concerns rank among the most pressing issues of our modern age, with accompanying laws attaining an ever-increasing level of importance. Certainly, the Protection of Personal Information Act of 2013 (PoPIA) and the recent implementation of the General Data Protection Regulation (GDPR) in the European Union both aim to meet the need for robust legislation and strict enforcement.

In a rapidly evolving global business environment, one thing seems certain: data protection and privacy laws will not stand still – and neither can the organisations subject to them.

When it comes to PoPIA and Business Risks, the legal risks of non-compliance (fines and prosecution) are obvious. We won’t spend time on those here. Instead, let’s look at a few other commercial risks associated with non-compliance to data privacy legislation.

The lack of a vibrant data privacy debate in South Africa has certainly attributed to the “incognito status” of the Information Regulator to date, yet “low profile” does not provide immunity to any business.

The following are a few of the commercial risks that businesses could face if they choose to ignore PoPIA.


Risk: The cost of data breaches and business downtime caused by theft or loss of critical data, is a real risk.

No company can afford to take the risk of cybersecurity ignorance. It does make good business sense to take data privacy seriously, and PoPIA can help in the establishment of a security-conscious workflow. In fact, legislation encourages business to re-evaluate and improve its overall cybersecurity strategy.

Mitigation: Establish accurate control over the entire IT infrastructure, build healthier data protection workflows and streamline security monitoring. These are basic risk mitigation steps that adherence to PoPIA can facilitate.

Redundant, Obsolete and Trivial Data (ROT)

Risk: ROT data poses a high and unjustified risk to the business, as well as add to the cost of storing (unnecessary) data. The question is therefore really: why take responsibility for something that has no value?

Data practices used before the implementation of data privacy legislation were and are mostly still managed by legacy IT-systems that do not comply with modern requirements determined by both PoPIA and good corporate governance in the digital age. (IT-systems used in South Africa develop before 2016 do not comply with elementary data privacy requirements and are thus referred to as legacy systems).

Mitigation: PoPIA compliance assists business in mitigating ROT. Getting a data map for a business is not only required to ensure compliance runs throughout a business, it can help streamline operations. It does so by deduping lists and ensuring customer information is up to date and as accurate as possible, while also being processed with consent. In turn, this can help deliver on the rights any South Africa citizen has to enquire what data a business holds on them and ask for it to be deleted or corrected.

Deduping irrelevant ROT stalling marketing efforts, such as lost leads or unengaged addresses, business will have access to a lean, fine-tuned database of highly relevant leads and customers that genuinely want to engage. With this information at hand, businesses will be able to experiment with niche marketing by tailoring its message to the specific needs and habits of a clearly defined audience that has more interest in its brand. Such a granular marketing approach will result in higher click-through conversion rates and social sharing and increase marketing ROI.

By cleaning up the data and erasing sensitive ROT data, such as former customers’ personal information as required by PoPIA, businesses will furthermore slash costs on storing and processing this irrelevant data.

Loyalty and Trust

Risk: The TalkTalk Telecommunication data breach in October 2015, resulting in a loss of more than a billion Rand, is a case in point here. Apart from the financial losses, they also paid in terms of customer trust: they lost more than a 100 000 customers as a result of the breach.  More recently with the Equifax data breach in September 2017, more than 140 million personal data records were compromised and Equifax faces a 50-state class-action lawsuit in the USA. That too indicates a major loss of loyalty and trust.

Mitigation: PoPIA compliance assist in constructing a relationship of trust and loyalty with customers.  When gathering consent to use data subjects’ data, customers will have a clear understanding of how and why their personal information is used. Since consumers are becoming more and more suspicious about how their data is handled, the transparency and responsibility demonstrated by companies will encourage trust in products, services and brands.

By educating the customer base of its level of PoPIA compliance, businesses will show their integrity by how they deal with customer data, and how they value it. That is the first step in developing a new business culture.


Adherence to PoPIA isn’t just a legal requirement. It in fact has significant commercial benefits and contains methodologies that make business more competitive. To demonstrate this a recent study has made four key recommendations on how business can turn data privacy compliance into a business advantage. These are:

  • create a cross-functional privacy working group;
  • practice Privacy by Design (PbD);
  • make privacy a corporate social responsibility; and
  • create great experiences around consent and preference.

If you’d like to know more about the opportunities that PoPIA opens for your business, please get in touch.

%d bloggers like this: