What corporate events agencies need to know about the POPI Act

There’s been a lot of talk in the corporate events industry lately about the ramifications of the impending POPI (Protection of Personal Information Act). Besides a hefty fine of R10 million or ten years in jail, businesses who don’t comply with the act will tarnish their reputations in the process.

Getting used to the new law may take some time, but there’s no doubt that event planning companies who fail to comply will lose out on business as clients seek out events agencies who are compliant.

That said, translating the act into actionable steps can be tricky, due to the ill-understanding of the information contained therein. We’ve deciphered the eight conditions that are relevant to event planning companies in an effort to shed some light on the new laws.

Condition 1: Accountability

The first condition that event planners are required to adhere to states: “(the) Responsible party to ensure conditions for the lawful processing of information”

This means that event planning companies and their employees who handle personal information must make sure that their handling of this information is in accordance to the Act. Those who process this data (in this case, the events company in question) are required to accept responsibility and be accountable for the way in which they handle this information

Condition 2: Processing Limitation

This condition concerns the way in which information is dealt with. Personal information, like a guest’s contact information, is only allowed to be processed if the processing procedure (for example, the sending out of an invitation) is “adequate, relevant and not excessive”. This means that companies are not allowed to bombard individuals with information, nor send them material with is not relevant. Importantly, the data subject (in the case, a guest) may object and withdraw their consent to the handling of personal details at any time if it’s being used in such a way that’s in breach of the Act.

If you’re inviting guests to a corporate dinner, all of your communication with them needs to solely revolve around the event concerned. Using their contact details to send them newsletters about your company, or promotional mail about anything other than the event they’re invited to, is illegal.

This condition also dictates that any personal information must be obtained directly from the individual in question, unless they have made this data available in the public sphere. For example, a guest’s email address for a guest that they’ve included on their LinkedIn profile.

Condition 3: Purpose Specification

Any information that you collect, from an email address or dietary preference, may only be obtained for “a specific, explicitly defined and lawful purpose relating to a function or activity of the responsible party”.

In addition, the retention of this information is subject to various stipulations included in the Act. Condition

4: Further Processing Limitation

This condition stipulates that any further use of any personal information must be in accordance with the purpose it was originally collected for. In other words, events planning companies may use information about a guest if it’s for a follow-up survey about an event, but not if it’s to promote your company.

Condition 5: Information Quality

In the case of event planning companies, this applies to any data collected during the RSVP process. In addition, the POPI act stipulates that this information needs to be updated when necessary in order to remain accurate and safeguard against any ambiguity.

Condition 6: Openness Guests

(referred to as the “data subject”) need to be made aware of the purpose that their information is being collected and the onus of this is on the events agency. Therefore, if you’re given a list of people to invite to an event, it’s crucial that either you or the client has notified the guests as to why their information is being shared.

Condition 7: Security Safeguards

Personal information is valuable currency, which means that companies need ensure that they take the necessary precautions in order to secure this data. Events companies deal with vast amounts of information about their guests, which means that adequate attention must be given to its protection.

Ensure that you’re using a closed intranet or content management system that is secure in order to avoid third parties gaining access to it.  In the event that the security of your guests’ information does become compromised, then the said guest must be notified immediately.

Condition 8: Data Subject

Participation According to the POPI Act, guests may enquire as to whether the events agency is in possession of their information. In addition, they are lawfully able to ask what personal information the company has of theirs. The POPI Act stipulates that they may ask – at any time – that this data is either corrected, or deleted if it is excessive, inaccurate or irrelevant.

There are various other stipulations that are outlined in full in the Act. We suggest that event companies familiarise themselves with the intricacies of the POPI Act, and how it will impact them. For more information, read the document in full here.

Image Credit: HDI