The South African Information Regulator is beginning to flex its muscles, placing a good deal more urgency on companies to review how they collect, store and use customers’ personal data. But more than just avoiding potential penalties, local brands must become more intentional in their 1st party data strategies if they hope to retain a competitive edge over the next 12 months.
Data breaches in South Africa are growing rapidly with 600 reported between January and August of this year alone. The regulator has already issued a R5 million fine to the Department of Justice and is beginning to crack down on private companies which it believes have not fully complied with the Protection of Personal Information Act (POPIA).
“Even some of the largest brands are not paying the necessary attention to how they collect, store and use data. Policies may be in place, but they are often not adhered to. It’s an unfortunate situation, but unless South Africans get their house in order, we will be viewed as the Wild West of first party data,” shares Chelsea Owens, client service director at Incubeta.
A complex environment
Owens says the South African landscape is a complex one, where consumers have diverse media consumption habits. She also notes that local consumers demonstrate a very divergent view of data ownership and what is important when it comes to data privacy.
“What the informed person is willing to part with when it comes to divulging personal information differs hugely from the regular man in the street. There are a lot of unwitting South Africans who think they have to part with huge amounts of sensitive information before they can pass through the gate.
“One of our biggest challenges is that the value exchange is not clearly articulated by either the organisation collecting the data, or the organisation who will be using the data down the line. Whether it’s neglect on the consumers’ side for not asking the right questions, or mismanagement on the side of the companies, there is no clear custodian of the data and this is where brands are tripping up,” she says.
Can’t pass the buck
Marketing professionals still need to be mindful of protecting consumer data, even if they have agencies running campaigns on their behalf. While there may be various mechanics of how this is handled, Owens says brands must stand up and take ownership.
“Brands that allow third parties to gather data on their behalf have to ask pertinent questions. Where is that data going? Where is the lead form hosted? Who’s collecting and collating all that information? You can’t feign ignorance. If a consumer were to take legal action, they will be taking it against you, not your third party agency. If you run a competition and there is a data breach, the regulator will be in a position to fine the offending party. They will be going after the brand that ran the competition,” says Owens.
There is no doubt that brands are doubling down in their efforts to collect first party data as they ready for the deprecation of the third party cookie earmarked for next year, but Owens says it’s vital that responsible data strategies win out.
“First party data has always been our Northstar but now it is the central tenet of our marketing activity. All activation comes from first party data. It’s your known data set; It’s your known customer; It’s far richer data than third party data. And it should be protected at all costs. Brands need to get their legal team involved and get POPIA consultants in to ensure they have locked down all the compliance issues – both in-house and between themselves and their agencies.
“It’s not just the regulator who is flexing, soon we will start to see class action lawsuits and I would not like to be the CMO remembered forever in the law textbooks. Brands must step up and assume the role of consumer data custodian,” she says.