The Protection of Personal Information Act (POPIA) will protect South Africans’ constitutional right to privacy. This includes a requirement for lawful justification to exist before a data subject’s personal information (PI) may be processed.
The questions on everybody’s lips are:
- Will this put a stop to unsolicited approaches?
- Will the collection of personal information as part of prospecting for new clients become unlawful?
- Will the mining of databases to generate leads still be allowed?
- May we approach existing clients that have not given their explicit consent with offerings of new services and new products?
The practice of prospecting, referrals and leads generation
The answers to these above questions are not as bleak as they may appear. POPIA is not only about protecting individuals’ right to privacy, but also aims to balance this right with the legitimate needs of organisations to collect and use personal information (PI) for business and other purposes.
Expanding their client base as well as maximising opportunities from their existing client base is one of the cornerstones of successful business practices, and the practice of prospecting, referrals and leads generation will remain the lifeblood of financial service providers and their representatives.
It is widely acknowledged that there is a need for financial education among South African consumers, and that the financial services industry has a crucial part to play in bringing the knowledge and tools for achieving financial wellness within reach of consumers.
Consumers in general do not reach out to seek opportunities to obtain financial advice or to invest in a financial product, so it is up to the industry to approach them. We therefore believe that by approaching a prospective client, we are not only pursuing our own legitimate interest, but also protecting that of our clients and potential clients.
It is our business objective to promote, create and enhance the financial wellness of South Africans, and to bring financial wellness within reach of all South Africans by offering not only products and services, but also our wealth of knowledge and expertise.
Processing personal information without subject’s consent
Can you collect and process potential customers’ personal information, and approach them, without their consent?
POPIA allows for the processing of PI without the data subject’s consent where it is necessary to protect a legitimate interest of the data subject (the client or prospective client), or for pursuing the legitimate interests of the responsible party.
POPIA also allows for a data subject’s PI to be collected from sources other than directly from the data subject, for instance through leads or referrals, or from a public source, and for that information to be processed further.
In line with the principle of minimality, the amount of PI thus collected should not exceed what is required to make a meaningful and productive first contact with the prospective client.
How much personal information can be collected without the prospective client’s consent?
To improve the chances of a successful approach, some basic information about a prospective client is needed. Over and above the name and contact details, it may include information regarding the prospect’s age, marital status, important life events and employment.
While a great deal of this information can be legally sourced through social media, the principle of minimality requires that no more information should be collected and processed than what is necessary to achieve the immediate purpose of successfully approaching the client.
If successful, resulting in further engagement with the client, consent must be obtained for the collection and processing of additional personal information required for the agreed purpose.
What about existing clients who have not given explicit consent?
When clients take out a new product, or make use of a provider’s services, such providers have a legal right to process their personal information.
It then becomes the provider’s duty, in line with the requirements of the FAIS General Code of Conduct, PPR principles and TCF outcomes, to provide ongoing services, regularly reviewing their financial plans and keeping them informed of new products and services that could potentially enhance their financial wellness.
Unless they specifically choose to opt out, existing clients can and should be approached regularly.
Remaining POPIA compliant
How can we ensure we remain compliant when we process PI without the data subject’s consent?
- The PI must be safeguarded against loss or unlawful access.
- The PI may be used only for the purpose of making contact with the prospect.
- Only PI that is essential for the purpose of prospecting (i.e. to qualify and approach a prospect) may be collected, and nothing more (principle of minimality).
- Information obtained may be enhanced from public sources (i.e. Internet, Facebook, Twitter, LinkedIn etc.).
- Prospects’ consent for the further processing of their PI must be obtained at the first engagement.
- Where prospects refuse consent for their PI to be collected or processed, or indicate that they do not want to be approached again, a record must be kept, to ensure the data subject is not approached again. It would be necessary to make the client understand that, in order to respect his or her wishes, limited PI will have to be processed on an Opt-out register in order to prevent future interactions. Where an intermediary or practice does not wish to pursue particular prospects, their PI must be destroyed as soon as reasonably possible.
- Where PI is collected directly from the prospect (e.g. by way of competition entry form, attendance register, feedback form, email campaign), the purpose for collection of that PI must be specified and displayed clearly and legibly in plain language. Furthermore, it must be made clear that the information is collected on a voluntary basis and that no individual is under any obligation to provide any of the information requested.