POPI Act: A data analyst’s point of view
Jessie Rudd, Data Analyst at PBT Group
On 1 July this year, the Protection of Personal Information (POPI) Act goes into effect with considerable penalties in place for non-compliance. This is the culmination of a process that began in 2013 and has been through numerous delays and revisions. But regardless of the history behind it, the focus on data and its protection must now drive virtually every business process with a significant impact on the consumer experience.
Take telecommunications operators as an example. They have massive amounts of personal customer data pertaining to everything from phone calls made to location information. Traditionally, they have been able to use elements of these to upsell more personalised services to customers. However, there has been and always will be a massive threat for compromise and threat actors trying to hack into their systems to access this sensitive data.
For instance, malicious users have been able to use data SIMs and fraudulently sign up mobile phone users to WASP services (think customised ringtones, downloadable wallpapers, and even adult content to name just a few).
This is where POPI now comes into the equation. Originally, the Act stated that service providers had to ensure data, that could be used to identify a person, was encrypted. However, this has subsequently evolved to now include the encryption of every piece of customer data whether personally identifiable or not.
As such, there needs to be quite a mindset change when it comes to how data can be used. The scary thing is that there is a significant number of front-end systems in place. For a telecom operator, this puts them under pressure to still deliver an effective customer experience. After all, people might visit a store, give them their number, and want to find out if they are due for an upgrade. Even just something as straightforward as confirming address details becomes a complicated process if the store does not have access to the encrypted data. This requires a balancing act between getting the store enough information that still makes them useful to customers.
It has become a minefield for companies to try and figure out the need to have checks and balances in place around the accessing of personal data, but still delivering a good experience.
There are similar examples in financial services. If a service provider sells different solutions to customers, like insurance, medical aid, credit, and so on, POPI makes it impossible to change personal information from one central location. So, if a customer has all these products and services, if they want to change their address or contact details, they must do so at each department of the services provider. This only results in consumer frustration despite the best intentions of the Act.
Increasingly, this will result in service providers finding ways around the rules and hiding in the grey areas to avoid impacting the customer experience. After all, people do not really care if their data is being encrypted if their problems cannot be fixed.
That is not to say that consumers have not become too blasé about their data. They must realise that personal data can be used for anything. It is easy for somebody to know exactly where a person is, who they are meeting with, even what they are ordering for lunch.
Ultimately, data must be protected. Laws like POPI are in place to prevent information from being stolen. Consumers must understand this and be aware of this changing landscape as much as the organisations themselves.