ZaiLab software

Deconstructing PoPI – What it Means for the Contact Center Industry

‘The time has come’, the Walrus said, ‘to talk of many things. Of shoes – and ships – and sealing wax. Of cabbages and kings.’

The time has come to talk about PoPI contact center regulations and its effect on the contact center.

After a generous grace period, the Protection of Personal Information Act (PoPI) is finally being rolled out in May this year.

The prognosis? You’ll be okay, but you’ve got work to do.

Wait, what’s a PoPI?

In a nutshell, PoPI regulates what companies can do with their clients’ personal information and holds them accountable for any breaches. Companies are also required to be more transparent about how they store client data and what they use it for.

The scope of ‘personal information’ includes, ID numbers, dates of birth, email addresses, gender and race descriptors, online usernames, financial information, criminal records, education, employment history and even biometric data.

What does this mean for your contact center?

We’ll tell you.

What do the experts say?

Alistair Corder – CEO of Apliso, a company that specializes in ISO standards management – says the effect on the contact center industry will be far-reaching. He advises companies to take stock of what personal information they have on hand and identify what it is being used for.

‘It would be very useful to contact all your clients and advise them – in terms of the PoPI Act – that you have their information, that you obtained it from “X” source and that your clients have the right to request any updates or changes to the information held by you.’

As a starting point, Alistair recommends you create an email address where your clients’ change and delete requests can be sent to – and ensure agents are adequately trained on the new regulations.

So what can companies do to be more compliant?

We hate to break it to you, but there is no quick fix.

‘What is needed is a detailed look at information processing across all facets of the business where it pertains to personal information. Then to look at the implementation of an information security management system aligned to PoPI requirements,’ says Alistair.

This will involve looking at all aspects of information security such as access control, storage, back-ups, validation and HR, as well as your policies and processes involved in handling data.

‘The ISO 27001 Information Security Management System Standard is a very good starting point as this gives you a fully certifiable system that would go a long way to “proving” PoPI compliance,’ says Alistair.

If you haven’t started preparing, start now. Like, right now. ‘Projects of this nature take anywhere between six and 18 months, depending on the size and complexity of the contact center. Legal engagement is also crucial to ensure documents such as contracts are correctly worded and meet the requirements of PoPI.’

Yeah, it ain’t too pretty is it?

What about lead lists?

If you’ve bought a list from a lead broker, you still need to ask those people if they’d like to opt in to be contacted by you. If a lead says no, that’s it. You have to remove them from the list and cease all contact.

Remember, lead brokers are in the same boat as you. In fact, their boat is painted neon pink to make them even more visible. All those super-long lists they’ve curated over the years need to be compliant. They also need to prove to potential clients that they have sourced their leads in a legitimate manner.

It’s good news for the customer tired of receiving 600 cold calls a day from insurance companies. Not so good for the insurance companies. Or at least, the misbehaving ones, who from May will be subject to regular Information Regulator visits.

How does this affect offshoring?

If your contact center or agents are based, say, in South Africa, but your customers are based in Europe, then the General Data Protection Regulation (GDPR) comes into play. And any business that services EU customers is obliged to comply with those regulations.

‘It doesn’t really matter where you work,’ says Alistair, ‘What matters is the type of personal information you have, how you are using it, where you are storing it, and if you have rights to it.’

Meanwhile in the US, you have various state and federal laws, including the Federal Consumer Protection Law, which protects consumer rights, and the Federal Trade Commission Act, which regulates data security.

Some of these regulations are broad, while others are applicable to certain sectors only, such as finance and health. The Financial Services Modernization Act, for example, deals with the collection and use of financial information.

According to Consumer Protection in the United States: An Overview, American consumers are protected from ‘unsafe products, fraud, deceptive advertising, and unfair business practices through a mixture of national, state, and local governmental laws and the existence of many private rights of actions.’

It’s a bit overwhelming really.

On the upside, companies that adhere to PoPI’s requirements are already geared to do business in Europe and the US.

At the end of the day, regulating how and when contact centers can use private information isn’t a bad thing. There’ll be fewer phones being slammed down for a start, and more meaningful interactions taking place with customers that want to do business with you.

So set your Google calendar alert for 28 May 2018, because that’s when PoPI will be in effect for reals.

Oh – and good luck.

Our thanks to industry expert Alistair Corder for sharing his knowledge with us. For more more information visit Alistair is a member of ICCCA (Independent Customer Contact Centre Association) For more information visit