POPIA and corporate communications


With the deadline for compliance with the Protection of Personal Information Act (POPIA) coming into effect on the 1st of July 2021, communications professionals are faced with the new challenge of retaining contact databases and reaching out to existing customers and broader markets – within the confines of the Act.

For communications departments within enterprises, and for their agencies, POPIA challenges old models for communicating with markets. Once, databases could be bought and compiled from many sources, and targets approached for multiple campaigns. However, POPIA puts an end to the practice of bought and shared databases with no consent from contacts. Where previously, organisations had only to offer audiences the opportunity to opt out from direct marketing messages in line with the ECTA and CPA, now they will need them to opt in. For marketers, this impacts the old refer a friend campaigns, but does offer the advantage that those who have opted in are actually interested in the organisation’s products and services.

The valuable media lists that organisations and agencies hold will have to be checked, with journalists consenting to be contacted in future. In Business-to-Business marketing, POPIA applies too – if contacts are personally identifiable through their names, email addresses and personal phone numbers.

Organisations wanting to alert existing customers to new products and services must secure their consent to do so, and bear in mind that if consent is refused, asking again would be in contravention of the act.

Even with the consent of all the people in your database, marketers and communications professionals will have to take extra measures to secure that data and ensure that everyone involved in gathering, processing and storing it is similarly secure and compliant. In addition, organisations must make sure that their data practices are transparent.

Marketers and communications professionals will also have to ensure that it is easy for those on their databases to unsubscribe to communications at any time.

Red Ribbon client KnowBe4 Africa believes staff training is crucial for underpinning all enterprise security and compliance, since people make up one of the most important pillars of your overall data protection & cyber security strategy. . Anna Collard, SVP Content Strategy and Evangelist at KnowBe4 Africa, notes that: “people frequently cause data breaches through error, and less seldom by malicious intent. Working from home has made people even more susceptible to social engineering attacks, due to the added distractions and complexities of this new environment.”Collard’s advice is for organisations to ensure that training and policies are made easily digestible and simple enough for all staff members to understand and are supported by tools that enable staff to do what is expected from them (i.e. such as password managers, multi factor authentication, and simple report this “phishing email” button.)

For organisations concerned that their communications models may not be fully compliant, the safest approach is to partner with a marketing and communications agency such as Red Ribbon Communications, which has invested heavily in becoming fully POPIA compliant and understanding the correct procedures for internal and external communications, B2B marketing and direct marketing.