POPI has been in the news practically everyday since the POPI Act was signed into law last year by South African President Jacob Zuma. As this news begins to settle in; companies of all shapes and sizes are trying to come to terms with what this means for them and the personal data that they hold. Some industries will be impacted far more than others. once such industry is the call centre industry.
What does POPI mean to call centres?
To give you an idea on the scale of the call centre dilemma; according to the CCMG (Contact Centre Management Group), there are nearly 1 900 call centres in South Africa. Of those 21% are corporate or captive call centres and 40% are outsourced call centres dedicated to outbound sales and telemarketing.
Operationally, call centres are going to have to review their strategies as the Act will change how call centres store; use and share personal information. According to POPI, companies (like outsourced call centres) using personal information will be obliged to log, store and transfer all of that personal information securely. Third parties involved in data access, such as call centre IT support, will thus need to enter into formal agreements and implement the necessary security measures.
One of the main areas of POPI that affects call centres (and the agreements that they have in place with their clients – in the case of outsourced call centres) is that the call centres can only use information for the purposes it was collected.
This means, for example that if a person signed up for a specific campaign, and the call centre collected the data to use for that campaign only, the person is not allowed to be contacted for different campaigns. Going forward, if someone opted in to receive only SMS communication, the call centre should use that channel and that channel only. This principle will be supported by the Consumer Protection Act’s national opt-out register (once in operation).
In terms of POPI, a person also has a right to obtain a copy of the record of personal information that a call centre might have on him, and if the company is not by law entitled to have that information, that person may ask for it to be deleted.
Companies will need to disclose security breaches for example where personal information has been hacked or lost.