All salon and spa owners still to comply with the Protection of Personal Information (POPI) Act should immediately appoint an Information Officer and register them on the government portal.
So said Karl Markwald, director at ESP, a panelist at the Professional Beauty webinar held on 5 July, which attracted over 150 delegates.
Fellow panelist, Samantha Lockhart, owner of Myspa Consultants, reminded delegates that the POPI Act applies to anyone who owns a business in South Africa and is recording personal information about a client.
Markwald stressed that there is no need for owners to panic, as while POPI became effective on 1 July 2021, there is a grace period for compliance. He continued: “It is currently a bit of struggle to register your Information Officer on the Department of Justice’s portal (https://www.justice.gov.za/inforeg/portal.html), so I would suggest you either take a photo or video of yourself trying to register, just so you have proof of your intent to register. “The POPI Commissioner knows that only 5% of the country is going to be compliant at the moment. They have six compliance officers policing the whole of South Africa. Now that it is law that people own their personal information, it’s important to think of your client’s personal information as an actual asset (like your car for instance).”
Lockhart pointed out that the central premise of POPI is about getting consent from the client to record their data. “You have to get your company’s POPI compliance protocols in place and once you do this, that’s most of the battle done. Even if you are a one-man band, you still have to comply. I suggest drawing up a Compliance Manual that shows your data protection policies. In the salon and spa industry, we don’t sell or reuse clients’ data but it’s now mandatory to keep this data safe and secure.
“I believe that it’s important for owners to conduct a gap analysis for POPI implementation; this way you can see where are you are complying with the law and where you are falling short.
“The security aspect of POPI is super-important. You have a responsibility to not only protect the client’s information on your salon system or website, but also where you are storing the information. If you have a 3rd party running your website – you need their agreement that they are keeping your data safe.”
Markwald pointed out that in the terms of the POPI Act, a business owner is the ‘responsible person’, your staff are ‘operators’ and your clients are the ‘data subjects’.
Scope of Act
According to Markwald, if your salon or spa has a security camera in reception, you need to get the client’s consent, when she walks into your salon, to video her. Lockhart suggested having a highly visible sign at reception that details policies and procedures (including that you have a security camera).
Markwald cited another example of how the POPI Act could be breached. “When a client tells a therapist about her divorce, then that therapist might tell another therapist, who then tells a client – that is in breach of the POPI Act.
“Therapists are not allowed to be friends with clients on Facebook, as this would fall under ‘mischievous use of information’ and create a back door if the therapist leaves the salon. Any staff member leaving your employ will be breaking the law if they subsequently contact your clients.”
Whether they are manual or digital, client cards fall under POPI as they record data about a client. Manual cards have to be kept under strict lock and key, while digital client cards must be security protected on whatever software you have. Physical back-ups (such as hard drives) must be stored securely, and cloud back-up encrypted. The salon’s laptop has to be password protected, likewise the software you use.