In just over a month (July 1), the Protection of Personal Information Act 4 of 2013 (POPI) kicks in, which means all tourism businesses dealing with suppliers, customers and employees need to be compliant or face very heavy fines.
POPI regulates the usage and collection of personal data. Companies are required to handle all data carefully and provide customers with tools to update or delete personal information. They also need to alert consumers immediately if there is any form of breach.
Technology company Xperien CEO, Wale Arewa, noted that businesses had had ample time to prepare, but many were now scrambling to become compliant. “They have realised that the impact is enormous, and that significant and unresolved personal data protection issues could result in financial penalties.”
He added that while many businesses were unaware of the risks, unfortunately ignorance of the law was no excuse. “They will be liable should any breach occur. The penalties are severe; non-compliance could incur fines of up to R10 million (€597 000) or even imprisonment,” said Arewa.
According to him, compliance was fast becoming a competitive advantage as customers didn’t want to be put at risk. Data breaches and issues related to regulatory compliance, associated costs and loss of reputation will have dire consequences for businesses.
Senior Associate at legal firm Webber Wentzel, Wendy Tembedza, said the tourism and hospitality sector had taken on a new set of responsibilities to protect guests’ personal information.
She pointed out that most of the big players in hospitality in South Africa had already had to deal with the EU’s General Data Protection Regulation (GDPR), which was introduced in 2016 and required businesses to take measures to protect the personal data of EU citizens.
“GDPR and POPI are similar, so some businesses will be prepared for POPI, while some of the smaller establishments may not be. But there are some surprises lying in wait for even the big players, despite their international experience, as POPI has some unique elements not covered by the GDPR,” Tembedza added.
Partner in Webber Wentzel and litigation specialist, Lisa Swaine, provided six key steps to compliance for the tourism and hospitality industry.
1. Responsibility for booking agents
Many travellers probably made their reservations using an online booking site, such as Booking.com, LekkeSlaap.co.za, or Travelstart.
Behind the initial booking site, there may be other parties handling your guests’ information. Under the POPI Act, each hospitality player will be responsible for safeguarding the information that all its agents, acting on its behalf, are collecting, and you need to identify all the parties in this chain. If one of your booking agents sells or shares your guests' information to a third party without permission, or starts sending them spam, your business is in breach of POPI, as well as theirs.
Your business should have a POPI addendum to existing contracts with all its agents, and new contracts should contain a POPI clause. All those parties need to agree to abide by certain conditions. They cannot be passively ‘opted in’. A business is well within its rights to require its agents to submit to an investigation of its systems and processes to ensure they are POPI-compliant.
2. What kind of information is this?
When the travellers made their reservations, they would have supplied details personal to them such as passport or ID numbers, credit card details, telephone numbers, addresses and possibly even car registration numbers. What level of protection does this information require?
The POPI Act defines different categories of personal information: personal information (such as ID and passport numbers and credit card details); special personal information (highly sensitive, such as race, health and biometric information); and information that is not personal, so does not fall under the Act. There are more safeguards for special personal information than there are for personal information, but safeguarded the information will be.
3. Are we accumulating too much information?
Once travellers leave, for how long are you going to keep their details on file?
Minimality is key – businesses should not collect more personal information than is required. ‘Personal information’ is defined very broadly to mean any information that can be used to identify an individual person or another business entity. So how much do you really require?
You also need to question why you are keeping personal information (is it necessary for legal purposes?) and, if there is no good reason, it must be disposed of in a secure manner. This is important, because under the POPI Act, even the keenest traveller has a right to be forgotten.
4. How secure is this information?
Taking all reasonable steps to safeguard the personal information in your possession is a critical element in both the GDPR and POPI – as the Marriott Hotel Group found out to its cost in 2018.
Marriott discovered that cybercriminals had hacked its global reservation database and accessed customer credit card and other personal details, involving 339 million people. This had been happening since 2014. Marriott was fined £18.4 million in October 2020 and a class-action-style suit has been launched in the UK. While the cost in money must certainly hurt, a reputational hit often hurts more.
POPI requires a business to put in place "appropriate, reasonable technical and organisational measures" to prevent loss, theft or damage to personal information.
5. Is this information relevant outside SA’s borders?
If your hospitality extends to international partners and loyalty programmes, it is quite likely that you are sharing your guests’ personal information outside South Africa. The POPI Act has specific requirements for sharing information outside South African borders.
6. And on the subject of loyalty...
Much as you hope to see the travellers again or want to entice new travellers, some of the ways you treat returning or new guests need to be handled very carefully from now on.
Unless a person is an existing guest who willingly receives your marketing, under the POPI Act, a business cannot send electronic marketing information without first getting consent. Any request for marketing consent must include language that is set out in the Regulations to POPI.