How to prepare for POPI: a few guidelines for call centres

The Protection of Personal Information Bill (POPI) is expected to be passed before the end of the year. Many South African businesses are scrambling to get their houses in order and ensure that their operations are compliant with the provisions of this bill – particularly with regard to their call centre operations.

According to the Contact Centre Management Group  (CCMG), there are close to 1 900 call centres in South Africa, with 21% being corporate or captive call centres and 40% being outsource call centres dedicated to outbound sales and telemarketing.

Jana van Zyl from Dommisse Attorneys foresees that call centres will need to review their current business operations: “Very simplistically put, the bill will change how call centres use, share and retain their customers’ and prospects’ information. This will include operations for specific campaigns on behalf of clients.”

How the bill will affect your call centres

In terms of POPI, companies responsible for using personal information are obliged to protect the personal information of their customers and prospects, or their clients’ customers or prospects (depending on whether it is an in-house call centre or a third-party service provider). This means that call centres have to log, store and transfer personal information securely. Third party suppliers to call centres with access to the personal information, for example third parties that provide IT support services to call centres, will have to enter into formal, written agreements to regulate the relationship. They would have to implement security measures accordingly.

Bruce von Maltitz, director of 1Stream which is a hosted call centre technology provider, says that although hosted service providers cannot advise call centres on whether or not they are compliant from a legal perspective, they are able to provide expert advice on crucial technical aspects, such as data storage and encryption. Hosted providers are also able to relieve some of the implementation headaches surrounding compliance, and are much better suited to securing sensitive information than call centre managers themselves.

You must take reasonable care

The law also states that the “responsible party” must prove or disprove the claims made against them. It is therefore imperative that the call centre is able to prove that they have implemented “reasonable organisational measures”, e.g. reasonable security measures that are always adhered to.

Call centres can only use information for the purposes it was collected

For example, if a person signed up for a specific campaign, and the call centre collected the data to use for that campaign only, the person should not be contacted for a different campaign.  Going forward, if someone only opted in to receive SMS communication, the call centre should use that channel and that channel only. This principle will be supported by the Consumer Protection Act’s national opt-out register (once in operation).  In terms of POPI, a person also has a right to obtain a copy of the record of personal information that a call centre might have on him, and if the company is not by law entitled to have that information, that person may ask for it to be deleted.

Companies will need to disclose security breaches for example where personal information has been hacked or lost.

What are the repercussions and the remedies?

Companies who are not compliant with the act may face fines of up to R10 million – as well as civil action. If a person feels that their right to privacy has been breached, they can take action against the company.

Be warned: There is no quick fix for POPI compliance. Start by meeting with an attorney who specialises in privacy law. Complete a GAP analysis and start implementing action plans based on unique organisational needs to ensure compliance with POPI.