The deadline for POPIA (Protection of Personal Information Act) compliance is looming. All forms of processing of personal information must conform to the Act by 1 July 2021 (South Africa).
In 2018 I issued communications to all of my clients about the GDPR (General Data Protection Regulation) and you may have utilised my services to help make your websites compliant with this regulation.
If I assisted you with GDPR compliance steps for your website as listed below, I believe your website will be sufficiently POPIA compliant, but please pay close attention to the database and mailing list suggestions further on.
As stated in my Terms & Conditions of Service, responsibility for POPIA and GDPR compliance resides with you as the business/website owner and as data controller. You will need to set your own data security protocols and ensure your handling of your customers’ or clients’ personal data is compliant if you would like to (continue to) utilise my services.
To better understand what POPIA compliance is all about, see www.popia.co.za.
HOW TO MAKE YOUR WEBSITE POPIA COMPLIANT
Below are my recommendations for making your website POPIA compliant. I can assist you with these if they’re not in place already:
- A privacy policy on your website together with a notice advising users what cookies are stored and how long you will keep their information for (this data retention period could also relate to CRMs and mailing lists which should be cleaned up regularly).
- Ensuring there are no pre-checked sign up boxes on contact forms or automatic adding of users to newsletters such as MailChimp.
- A statement accompanying any newsletter sign up advising how you will store, protect and utilise the user’s personal information. Newsletter sign-ups should have double opt-in enabled.
- A statement on all contact forms advising how you will store, protect and utilise the user’s personal information, and a checkbox to agree/opt in.
- The anonymisation of IP addresses in Google Analytics tracking.
- Ensuring your website has an SSL certificate installed (https:// URL) with website security to protect against a data breach.
The main thing is to ensure that users are explicitly opting in on your website rather than being automatically added to mailing lists, and that you tell users what data is being collected, how it will be used, how it will be protected, how it can be deleted, who has access to it and how it is shared. See this helpful article on website GDPR compliance.
I implement these steps in all new websites I build so if your website was launched after June 2018 it’s likely this is already in place but please feel free to double check.
DATABASE/MAILING LIST COMPLIANCE
In addition to the statements and opt-in checkboxes mentioned above, it’s important to ensure that your MailChimp or other database/mailing list account is using double opt-in with GDPR activated fields, meaning the user receives a follow up email to confirm they wish to sign up to your mailing list.
It’s also important to periodically clean up your mailing lists and remove inactive subscribers’ data, and furthermore, make your users aware of data retention period in your privacy policy.
NEXT STEPS
If you would like to take steps to make your website POPIA compliant please contact me for a quotation.
Disclaimer:
This is not legal advice; I am not a lawyer or a POPIA/GDPR compliance expert. These recommendations are as a result of my own independent online research. It is your responsibility as the website owner to ensure your business and website is compliant and it is your responsibility to update your website Terms & Conditions and Privacy Policy.