The effects of the PoPI Act on small and medium enterprises in South Africa

Abstract

The Protection of Personal Information (PoPI) Act was created to promote the constitutional right to privacy in South Africa by safeguarding personal identifiable information (PII). This Act respects the right to privacy of customers and employees and also acknowledges the need for businesses to collect and use personal information[1]. Having this type of legislation in place is without a doubt very beneficial to most individuals. However, the effects that the PoPI Act will have on South African small to medium enterprises (SMEs) have not been explored in detail. Current practices such as direct marketing are perceived as a cost effective option for driving sales in SMEs[2] and this option will largely be removed once PoPI is in effect. The POPI Act is a substantial piece of legislation with complex intricacies not easily understood. This complexity adds on to the difficulty SMEs experience when attempting to comply with the Act[3]. Irrespective of the complexity, PoPI is not something that can be ignored and a data information privacy regulator has been established by government. All business owners, not just of big companies, need to comply with this Act or face significant consequences. The regulators will be looking to make examples of organisations not complying and it is of utmost importance to ensure compliance or face the consequences[4]. This paper explores the possible effects of the PoPI Act on SMEs in South Africa, focusing in particular on the marketing strategies used by surveyed SMEs. It also investigates the current compliance of SMEs and reasons why SMEs are battling to comply.