Prepare for POPI by Putting Privacy First
Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as the National Health Act (healthcare), personal information-specific rules such as POPI (Protection of Personal Information Act), electronic-specific rules (Electronic Communications and Transactions Act), the rules and regulations of specific professions (HPCSA Ethical Rules), or even the various foreign laws such as the European Parliament’s General Data Protection Regulation (GDPR – applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.
Compliance concerns are increasing in magnitude and importance.
As privacy and data breach issues continue to make front page news on a near-daily basis, and with the South African Government working on new privacy laws (POPI), such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations:
- Do you accept credit cards for payment?
- Do you gather any personal information about your customers, patients, employees, members or vendors?
- Do you electronically store any data on your computers or servers?
- Do you sell or market on the Internet?
- Do you conduct any business with, or market your business to, any person or entity located in another country (cloud storage)?
- Are you in the financial or health industry?
- Do you seek to conduct any credit checks on potential employees or customers?
The above only addresses a tiny fraction of the activities which subject you to regulation. So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.
Times have certainly changed.
As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple with Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed.
On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.
How does a business use consumers’ privacy concerns as a marketing tool?
The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe.
To accomplish this goal, you must:
- First determine which regulatory scheme(s) govern the operation of your business.
- Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law.
- Third, you should examine how, if at all, your competitors address and promote their privacy obligations.
- Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies.
Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.