You take good care of your clients, offer suitable financial advice and recommend appropriate financial products to help them meet their insurance and financial needs. And you keep their personal information private and confidential. But POPIA (Protection of Personal Information Act) may require you to do more!
We compiled a five-point POPIA checklist for financial advisers to help you ensure you are POPIA compliant. But first, you need to get to grips with what POPIA is all about.
Understanding the basics
It’s worth keeping in mind what POPIA covers, because the terminology can get quite technical, impersonal, and as some compliance experts have pointed out – confusing!
Collecting, using, storing and destroying personal information
POPIA requires you to:
- Collect only the personal information you need
So that you can:
- Use it for the purposes agreed on, such as drawing up a financial plan
And keep this information:
- Up to date
- Only for as long as you need it
You must be POPIA compliant from:
1 July 2021
POPIA checklist for financial advisers
1. Identify what personal information you have for your clients
Personal information, according to the Act, include but is not limited to information about a person’s:
- Identity - including ID number, race, nationality, gender and sexual orientation
- Religion, belief and culture
- Marital status
- Health – physical and mental, including any disabilities
- Biometrics such as fingerprints and blood type
- Finances, employment history and any criminal history
- Addresses – including email addresses and telephone numbers
The first step to becoming POPIA compliant is to identify what personal information you have and where it is stored. This may be on application and claim forms, correspondence such as email, WhatsApp messages on your phone, contact lists, etc.
2. Know what you can, and cannot do, with personal information
As a financial adviser you need your client’s personal information so you can give good financial advice, draw up plans and recommend products. POPIA refers to this as lawful processing.
For example, your client shares information with you about their health (personal information) when they complete a life insurance application. You can only use the information you have for this purpose – taking out life insurance.
You cannot use the information for some other purpose, such as selling an entirely different, unrelated product, or passing this information on to another person or business.
This doesn’t mean that you can’t send SMSs, emails, newsletters, and other direct marketing material using the information in your database. You can still send out messages and information to:
- Your existing clients – unless they have expressly said do not contact me; and
- Your new clients – if they consent upfront.
- There must be an opt-out where your clients (new and existing) can easily and quickly say “please don’t send these to me anymore” or “unsubscribe”.
Top tip: Always ask your clients to consent in writing to contact and correspondence.
3. Store your client’s personal information safely
- Know where the information is kept – physically and electronically.
- Make sure this information is safe with secure access so that it’s properly protected from data breaches and theft. This means having a locked filing cabinet for paper records, and ensuring your cyber security is tight. It’s best to consult a cyber security consultant to help you get your systems in place, as they will help to ensure you’ve covered all channels where personal information might be collected – such as text messages.
- If you have employees or partners, everyone handling that information will need to be trained to ensure that they comply with POPIA and dispose of personal information securely.
4. Destroy clients’ personal information when you no longer need it
If at some point in the future you no longer need your client’s personal information, you need to destroy it. “Destroy” means you need to destroy it completely, which includes all back-ups, paper copies and documents in recycle bins.
5. Document your POPIA compliance process
POPIA has harsh penalties for non-compliance – up to a R10 million fine and, in some cases, prison time. So you need to be able to show that you are following the regulations:
- Document your process with details on how and when you collect information, use it, store it and destroy it.
- Appoint an Information Officer who is responsible for making sure the business is compliant. If you run your own business you will be the Information Officer. The Information Officer must register with the Information Regulator using this form.
- Regularly review your process and the safeguards – for example, change passwords (including any 1Life Vantage passwords), where keys are kept and run anti-virus scans.
Your document doesn’t have to be too lengthy: you can keep a short list of bullet points. But it must show that you have taken steps to protect the personal information you have on your systems.
If, down the line, someone uses a client’s info unlawfully, you will have to be able to prove that the leak wasn’t you, and that you did what was reasonable to protect their personal information.
The Vantage advantage
If you use 1Life Vantage you can rest assured that your clients’ personal information is safe. Vantage is POPIA compliant, with secure logins which keep information safe. It is also paperless, which means information is stored in one central and secure place.
Don’t miss the deadline
Although there have been some delays in implementing POPIA (it was written in 2013), it officially became law last year. The 12-month grace period for compliance ends at the end of June. We aren’t expecting any more delays, so get your POPIA process documented, and make sure your records and your business are POPIA compliant.