All salon and spa owners still to comply with the Protection of Personal Information (POPI) Act should immediately appoint an Information Officer and register them on the government portal.
So said Karl Markwald, director at ESP, a panelist at the Professional Beauty webinar held on 5 July, which attracted over 150 delegates.
Fellow panelist, Samantha Lockhart, owner of Myspa Consultants, reminded delegates that the POPI Act applies to anyone who owns a business in South Africa and is recording personal information about a client.
Markwald stressed that there is no need for owners to panic, as while POPI became effective on 1 July 2021, there is a grace period for compliance. He continued: “It is currently a bit of struggle to register your Information Officer on the Department of Justice’s portal (https://www.justice.gov.za/inforeg/portal.html), so I would suggest you either take a photo or video of yourself trying to register, just so you have proof of your intent to register. “The POPI Commissioner knows that only 5% of the country is going to be compliant at the moment. They have six compliance officers policing the whole of South Africa. Now that it is law that people own their personal information, it’s important to think of your client’s personal information as an actual asset (like your car for instance).”
Lockhart pointed out that the central premise of POPI is about getting consent from the client to record their data. “You have to get your company’s POPI compliance protocols in place and once you do this, that’s most of the battle done. Even if you are a one-man band, you still have to comply. I suggest drawing up a Compliance Manual that shows your data protection policies. In the salon and spa industry, we don’t sell or reuse clients’ data but it’s now mandatory to keep this data safe and secure.
“I believe that it’s important for owners to conduct a gap analysis for POPI implementation; this way you can see where are you are complying with the law and where you are falling short.
“The security aspect of POPI is super-important. You have a responsibility to not only protect the client’s information on your salon system or website, but also where you are storing the information. If you have a 3rd party running your website – you need their agreement that they are keeping your data safe.”
Markwald pointed out that in the terms of the POPI Act, a business owner is the ‘responsible person’, your staff are ‘operators’ and your clients are the ‘data subjects’.
Scope of Act
According to Markwald, if your salon or spa has a security camera in reception, you need to get the client’s consent, when she walks into your salon, to video her. Lockhart suggested having a highly visible sign at reception that details policies and procedures (including that you have a security camera).
Markwald cited another example of how the POPI Act could be breached. “When a client tells a therapist about her divorce, then that therapist might tell another therapist, who then tells a client – that is in breach of the POPI Act.
“Therapists are not allowed to be friends with clients on Facebook, as this would fall under ‘mischievous use of information’ and create a back door if the therapist leaves the salon. Any staff member leaving your employ will be breaking the law if they subsequently contact your clients.”
Whether they are manual or digital, client cards fall under POPI as they record data about a client. Manual cards have to be kept under strict lock and key, while digital client cards must be security protected on whatever software you have. Physical back-ups (such as hard drives) must be stored securely, and cloud back-up encrypted. The salon’s laptop has to be password protected, likewise the software you use.
COVID registration forms (which record clients’ names and contact details), should be locked away after each client fills in their details and cannot be left lying around on the reception counter, because clients may not see each other’s data as this is in breach of the Act.
You are not allowed to contact people via social media with the intent on promoting your business to them. It’s essential that you obtain permission from your clients to send them promotional material and special offers. A simple piece of text at the bottom of their client record, such as: ‘By ticking this box I agree that the company may send me promotional information and special offers from time to time’ will suffice (add the tick box).
Historical data + ‘opt out’
Salon owners should clean up their database and delete all ‘unsubscribes’. In addition, they should remove data from any clients who have not visited the salon for 18 months to two years.
“You can always get new consent from the client should they return to the salon,” said Lockhart. “For any communication to clients, it’s important to include an ‘opt out’ option, so the client can decide if they still want to receive your emails, SMSes or WhatsApp messages. Cold calling is not allowed, without the client having consented to it in the first place.”
Markwald stressed that the key to POPI is to only use the information for the purpose it is intended. “For example, if someone comes to a service station – they can’t then phone you and try to sell you tyres. It’s important for owners to focus strongly on staff training. All staff need to sign an agreement that they respect the POPI Act and the clients’ data. These forms should be kept in a safe. If anyone requests information on your data protection practices, you may inform them of a time frame in which you will respond, such as, for example, 30 days.”
In conclusion, Markwald urged owners to think of personal information as wads of money notes. “You would not leave them lying around.” (Report by Joanna Sterkowicz)
For more information read Samantha Lockhart’s article on the POPI Act on pages 12, 13 and 14 of the July 2021 issue of the Professional Beauty digital magazine. Click here https://issuu.com/professionalbeautysa/docs/pb_july_2021?fr=sM2U0YzM5NDE0MTc