 Good evening and welcome to episode 84 of the Private Property Podcast. I'm your host, Usamanto Muakumalo, it's the Tuesday after the long weekend. You see they're even stumbled because I think these long weekends half mean something, half don't mean anything. So it's our fake Monday and of course we are bringing you all things property this evening with Private Property Podcast. And before we start with our conversation, we are of course running our women's month competition and those two lucky winners are going to be announced on Friday. Probably wondering what you have to do to win. Well, of course, we are asking you to nominate and name any woman in your life that you think should be awarded the Private Property Courageous Women Award Certificate. Share your nominee and a short message of why this woman represents the power and strength this woman's man. And of course, both of you stand a chance of walking away with one thousand grand cash, we will be announcing the two lucky winners right here on the Private Property Podcast. This coming Friday, you simply do not want to miss it. All the competition details are right here below. Now, of course, we do talk property every week, day at 7 p.m. And this evening we're talking about something that I think a lot of us often take for granted. I know sometimes I take it for granted. I was saying to my two guests before we went on that when it comes to this particular topic, I think a lot of us probably start paying attention. The moment there's a breach of some sort and probably thinking what it is. Well, it is, of course, everything that has to do with data. We're going to be exploring the six key points on how the new Puppy Act affects property transactions. And I think one of the big things with this one is, of course, around our data and security breach. And I think a lot of South Africans, I think myself included, tend to not think too much about our security and our data and what it means. Probably don't even know about the new Puppy Act and how it may potentially affect us, particularly as property investors. Of course, that's what we'll be exploring this evening. I'm joined by Janssen, the Carver's Director at Strauss, the New Tunis, as well as Dranjab Jodhan, who is the Director at the Republic. Gentlemen, good evening. Thank you so much for joining us. Good evening, Asama. And I think, you know, I think, Dranjab, I'm going to start with you because I'm sure a lot of people are thinking, OK, what exactly is the Puppy Act? Because I think there's so many different laws that keep changing and obviously get updated that we certainly might not be aware of what the Puppy Act is before we even talk about how it affects us as property investors. Thanks, Asama. Yeah. I think, you know, Puppy in South Africa has been coming for a very long time. If you think it was first enacted in all the way back in 2013, when it first became law and this year in July, on the first of July, it actually became an act in its entirety. Now, what it is, is basically in a nutshell, and to give it sort of a very, very basic explanation, it aims to promote the protection of personal information in South Africa. Now, how it does that is through the establishment of conditions and minimum requirements for the processing of personal information within the country. So prior to this, we've never really had very strict rules on how organizations are required to process information within their organizations or their businesses or how they even obtain or collect that information from the ordinary person. So the act basically creates two distinct roles, one being a responsible party, meaning the person who is responsible for all the information and the data subject, which is pretty much the person to whom the information relates. So effectively, it establishes new rules and ways of doing things, which is with respect to information within the country. And I think, you know, Jan, I'm going to bring you in here and probably talk about what kind of data, I think before we even look at how we are essentially affected, what kind of data we're talking about here. Because there are people at home are thinking, well, I mean, these data that I probably have, I certainly share it with different service providers. So what kind of data is essentially covered with the puppy act? Well, what the act refers to is personal information and personal information in a data form can really be any information. But it is information that relates to you as a person. So the definition is quite wide. For example, names, whether it goes on to ID number, then things like race, sex, sexual orientation, political affiliations and all of these kind of things that relate to a person and even extend in some services to a company. And all of that is regarded as data. And essentially, if you want to summarize that, you say, well, it's personal information attaching to you as a person. So everything almost about you is regarded as personal information. And that's the data that people collect and somehow store and need to do so in terms of the act in a responsible manner. So, you know, you were mentioning earlier that, you know, the act sort of when we look at the, I'll say the lifespan of the act. I remember a couple of years ago having conversations about this. So kind of first, I'll say, probably in 2013, saying that in July this year it was implemented. Perhaps, you know, take us through, you know, has firstly been fully implemented and what are the implications of this act being in effect? OK, so basically in 2013, certain sections of the act became effective. It was only a very small part. It was some it was the sections, you know, basically defining what personal information is, it was the sections establishing the information regulator. So a very important part of what Poppy does is it establishes a new office and that's the office of the information regulator. So the information regulator is effectively the watchdog in respect of the law. So the information regulator has is the ability to prosecute and to enforce the law. But now that was in 2013. And since then, Poppy's always been on the horizon every year until this year where it's finally arrived. Now, what this what I mean by finally arrived is the act is now fully effective, meaning that all of the sections in the act are are active. But that also means that in terms of the act, we now have a one year grace period to become compliant. So effectively, the last day to not comply with with Papia is this 30 June 2021. So from one July next year, 2021, you have to comply with with Papia. And that that's pretty much for every company. There's very few entities or organizations within the country that can say they don't need to comply with Papia, because pretty much every if you look at how wide the definition is of processing and of personal information, pretty much every entity would have to comply with the requirements of Papia. And I think now we'll probably look at how you know, the Papia Act essentially affects people who are into the property space, but a lot of our users obviously have an interest in property, whether it is tenants or certainly property investors. Perhaps John, you know, take us through how exactly Papia Act essentially affects people who are interested in property and who who have not only have an interest in property, but essentially their day to day might effectively be property. You know, the interesting thing about the act is really that, you know, it's going to affect everybody. And that's on both sides of the spectrum. People who will receive your personal information and then, you know, normal guys like us who are giving personal information. And I think in the property space also, you know, guys need to understand that it's going to apply to everybody across the spectrum. So if you're interacting on any level with somebody and receiving information about that person, you're going to fall within the scope of the act. So I think from a, you know, property perspective, especially your estate agents, estate agencies who, you know, they've got many clients who are prospective buyers, sellers, prospective tenants, prospective landlords. All of these guys, they constantly interacting with and, you know, receiving their personal information and possibly also moving into a space with a handing out that personal information. And then also, I think on property investor side as well, even developers, they might have a list of potential investors that they deal with and also potential clients. So across the board, it's really, you know, affecting everybody. And like I said, I think that's the interesting thing about the act as well as it's very difficult for a business of any sort to really say, well, you know, that's not going to apply to me. It's highly unlikely. You know, John, you're actually saying that essentially, you know, companies currently have a one year grace period to be compliant, perhaps explain what being complied essentially entails. It's particularly within the, you know, the aspect of people who are in property, in property. So whether we're looking at how estate agents are meant to be complied or certainly developers are meant to be compliant, because I think as people who are essentially buying property or even how landlords are meant to be compliant, because I think we certainly do find a lot of landlords who don't use estate agents to manage their property. So they're also receivers of their tenants or prospective tenants data. So they essentially also need to be aware of how this new act is going to affect them. Perhaps let us know how, what does it essentially mean or look like when we are compliant as property investors or people who receive people's data? So I think that the main thing to to remind ourselves about in respect of compliance with property is that there's no one size fits all approach to it. Every organization has different requirements. Every organization has different data processing requirements. Every organization has a different risk profile. So I mean, if you think about how broad the application is in terms of who it applies to, so it applies to the, you know, the primary school down the road and it applies to the biggest bank in the country, equally. So both both those entities are vastly different in what they do and how they process data, the same law applies to them. And both those entities have to comply with the very same law. So when I say one size doesn't fit all, it's absolutely true. So each entity has to approach it in a way that works for them. So if you look at, you know, an agent, for example, they have to make sure that their processes, systems and procedures comply with the requirements of the act. And how you do that is through an analysis of what information you use, how you use that information, what you do with it, where it goes, once you've done processing it, who you might share it with. And you have to pretty much understand the entire data life cycle as you receive the information and what you do with it when you finished with it. So compliance is a, you can't paint everyone with the same brush when it comes to compliance with POPIA. And it really just depends on each organization. So what we've found is that as long as you can ensure that the business is operational and your organization can still do what it needs to do whilst complying, that's the best way to comply with the law. It's pretty much a journey from a journey towards compliance. It's very difficult to say, you know, in 20 days, you're going to be compliant with POPIA because there's always something that changes, technology changes the way we do business changes. I mean, if you look at all the changes that COVID's brought in respect of the collection and processing of information. If you think about a property owner who manages a building, all of a sudden now at their front desk, they're not collecting people's health information, for example, which is not something that they thought they'd ever be doing a year ago. But now that's part of their risks. They are now in possession of people's health information. And in terms of POPIA, that's a very sensitive information that needs to be protected and not simply able to be accessed or shared at the front desk. So it's, you know, it's different considerations, but in the property space, it's just how we collect and use use that information for whichever purpose we we needed for within the the organization. We're going to go for a quick break and we're going to come back. I actually wanted to speak about, you know, the effect of digitization across the board and how that's essentially going to be affected by this new public access. I think one of the things as you know, the message on is COVID has almost accelerated the way in which we're working on a digital platform. More and more, we're finding that we are more reliant on various digital platforms to conduct our business, whereas before it would be an integration of both sort of face to face interaction and digital. And of course, we can imagine that so much data is being shared on digital platforms, we're certainly sharing even our own data, you know, with various service providers, landlords are sharing data with their tenants. Tenants are sharing data with landlords or certainly prospective landlords or even agents as they are going about looking for new places. And I think we're also is probably best to sharing our data with various estate agents as we ourselves are looking to grow our property portfolio. So understanding the best ways or how, you know, the digital world essentially is going to be affected by the puppy act is something that we need to be mindful of. We are, of course, taking your questions and comments on this one. I think one of the things is if you've ever been on the receiving end of your data being misused is probably one of those things that you're now more mindful of than ever before. But if you aren't, you're probably like the rest of us, where you're kind of, you know, slightly different to it and you think that wherever you put your data, it is not being misused for different or certainly sinister reasons. But of course, that isn't always the case. So you do want to hear from you if you've ever had that kind of encounter. I know sometimes we tend to find, you know, tenants not providing the correct data and eventually moving out of the apartments and landlords struggling to trace the tenants. That does, of course, become such a, you know, problematic thing. I've certainly seen a lot of landlords talking about this, especially now during COVID. We're going to come back and right after this, we're going to be talking about the effects of the puppy act on our increasingly digital world. We'll be back just after this. Welcome back to episode 84 of the Private Property Podcast. I'm your host, Uzaman Duman, Kumalo. This evening I'm joined by Yann Sinakal, who's the director of Strahd's Daily Attorney, as well as, right, Jean-Jacques Jordan, who is the director at The Bit Republic. And we're looking at the key things, you know, to consider or certainly to know about when it comes to the puppy act that affects property transactions. Perhaps, you know, Jordan, take us through what the legal repercussions of sharing sensitive information without the relevant permission under the act is, because I think a lot of us have probably been on the receiving end of that, where we suspect that our data has been shared by a third party. You certainly do see a lot of, you know, especially the big companies having an up and up option to share your data with third parties. But not everybody, of course, has that option. And they inevitably do end up sharing your data. I think even sometimes with people within the property space, whether it's agents or certainly landlords sharing their tenants' data with other stakeholders, what are the repercussions in the event that people do this under the act? All right, so I mean, there are various contexts under which information can be shared. You know, consent, for example, is one of them. Or if you deliberately make information public. Amongst many others. But, you know, if you're looking to talking specifically about repercussions, the act does provide for penalties and fines. These include, I mean, you can be sentenced to 10 years in prison for the more serious offenses or fine of up to 10 million rents in terms of the law. But that's, you know, that's in terms of the legal repercussions. But there's also reputational repercussions. If a breach happens and, you know, it's been shown that the organization that who is the subject of the breach was negligent in handing your information. There's a huge reputational sort of damage and risk that happens to that organization, particularly today. Because as you mentioned, due to the increased digitization, we're becoming so aware of our digital information that is all over, you know, the internet. We share it digitally, especially today, where we pretty much work remotely digitally. There's very little face to face or interaction happening. And we also must be mindful that Poppy doesn't only apply to digital information or electronic information, it also applies to physical hard, you know, the documents and that sort of thing. So there's sort of two sides to to that that that coin that that apply. So now, for example, if you think about how empty a lot of offices might be, you know, there's a huge risk in security for all that information that's still sitting in physical form, for example. But similarly, from a digital point of view, we are now sharing information via email, via various different online cloud services. And, you know, if we're not, you know, if entities aren't careful, you know, you could share unintentionally shared information, which also could pose a risk to to the organization and and open you up to some finds or even Delta, if you're not extremely careful. You know, we keep talking about living in an increasingly digital world and how now more than ever, we are, of course, finding ourselves having to use various digital platforms to stay connected and to communicate and even do our work. Would you say that it's easier or harder for your property entities or real estate entities right now to comply with the act? Because I think I can certainly imagine that they perhaps might say that they're facing difficulties. So would you say that it's essentially easier or harder right now for them to do so and for the act to be enforced, given that we are increasingly more and more digitized? It's a quite interesting question, Zoma, because in the in the age we're living in, there is a lot more information out there, personal information and otherwise. And I mean, that's really where the great drivers come from in the last couple of years in terms of artificial intelligence, because that stems from when it's built on all the data that's out there. So all of a sudden these these artificial intelligence systems have something to work off and now it is able to start machining and working that and giving you information about essentially yourself. You know, your phone will tell you how long it will take to go somewhere before you have started your journey, because it knows that it's a time that you usually go to a certain place. And that's because your information is already out there. And that's where it becomes really interesting, because it's not only personal information, such as my name, my surname, my ID number, all of these kind of things. But it goes a lot further into where am I going to Garmin watches recently had a breach on their systems. And what all information of their users are stored on that system? I'm not 100 percent sure, but it probably will show if I'm a semi-decent IT hacker person, I can probably determine where you are moving from most of the time and where you live. So now I've got probably your address as well. And so saying that there's a lot more of this information available nowadays, which might make it seem like it's a lot harder to comply. But then again, with technology, what it is in systems, what it has become, you know, you can you can automate it and really structure your compliance in a special kind of way. And that's where this this act is really interesting, because it, you know, you've got this interplay between legal requirements on the one side, but then also implementation of executing those legal requirements, which then move you into the IT technology space. And it's not necessarily such a difficult thing to comply, provided your systems and all of these things are in place. Which also I think just brings you back to to the importance of the act as well, like you were saying, you know, that there's there's significant penalties that are that could be imposed. But one is to remember that, you know, the act stems from a person's right to privacy, which is in the Constitution. So it's essentially protecting a constitutional right. And I think a great example for listeners is, you know, what happened with Facebook and Cambridge Analytica? And how they had people's information and data, but then used it in an incorrect way and probably without people's permission. And I think, you know, it's one of and I think it's certainly one of those things that when we look at certainly the big apps, a lot of us tend to opt in and say we've read the terms and conditions when in effect, we simply don't read the terms and conditions. And a lot of us probably don't understand the full extent of what exactly is we are signing away to a lot of these big corporations when we do do so. And as you're saying, I think when you then look at AI and machine learning and the various companies that work within that space, then you begin to get a very sometimes perhaps maybe a depressing picture of what is being done to your data. I mean, oftentimes we all have, we always joke with my friends that, you know, your machines are listening to you. We could be talking about tiles right now and tomorrow morning I wake up and I'm already been sent ads about tiles. So there's always that fear or sudden reality that our data is somehow out there. And I think certainly as different people, you sometimes just decide, you know what, I know my data is out there, maybe I shouldn't overthink it. And then when we talk about the extent to which our data is out there various companies who even work in that data, it brings us to one of the questions that have been asked. Of course, we are taking your questions and comments at home. We're exploring the extent of the new PAPI Act and how it's going to or how rather it affects those of us who are in the property space. It has if it's obviously beyond the property sector, but we certainly want to understand what the effects are on property transactions. We've got a question here from Ozan Deloko who asks, what is the impact of the PAPI Act for those organizations who sell customer information and data mining? So so that's a very interesting question in respect of how that information is then used. So remember, the Act sets our conditions of how you can process information. So when it comes to something like data mining or or even data matching, which is you're taking two separate types or two separate sources of information and you're matching them up in it and doing so, you create some new information. You have to really be careful if an organization is doing that type of processing about what they are doing and where they're getting the information from, because ultimately, if they are obtaining the information for one purpose, but using it for another purpose, they will then be in breach of the law if they haven't notified or informed the data subject about that type of you know, conduct or or processing that they are doing. So while it is possible, it's just you know, entities must be very careful about how they approach that type of processing, particularly in light of the requirements of POPIA. And I think with regards to that follow up, you know, question from Zandile, is that is there a body association where people can report unsolicited reports from telemarketers? And this is of course in the event where they suspect that perhaps their data has been sold, whether it's against their will, Jan? Yeah, that's so, you know, the actors now created the information regulator. And that's really the body that's overseeing the implementation of it and you know, where complaints can be directed to and also that the body that's going to basically enforce the law. And I think, you know, Joanne, certainly as property investors or people who are within the property space, what can we do to essentially make sure that we are less vulnerable to, you know, having our information misused or even the information that we then gather being misused? Because I think we certainly want to of course not to, as you were saying earlier, that a lot of companies right now even have physical data on their premises, which could potentially be a data threat because anything could potentially happen. So what are some of the things that we are able to do to safeguard our data as much as possible? Yeah, so I think, I mean, that question applies to everyone in South Africa and organizations included. So effectively, we must, if you're an organization who processes personal information, you must be aware of what you process and how you process it. And on the other side, as a data subject, you must be aware of what information you are sharing with responsible parties. Effectively, as an organization, I like to use a little saying, which is say what you do and then do what you say in respect of the information. So if I'm going to collect your information for this purpose, I will tell you that's what I'm going to do and then I will use it for that purpose. So there shouldn't be any secret processing or processing that the data subject is not aware of at the end of the day. And that's how property companies or people in the property industry should treat data. It must be an open and transparent data processing arrangement or relationship between the responsible party and the data subject. But similarly, if you flip it around again, the data subject must be really mindful about the information that they share and what they know or expect is going to happen with that information that they actually share with the responsible parties. So we must just understand the purpose of the data processing from both sides. And once we once we get to that point, we can then start understanding the relationship between ourselves as data subjects and responsible parties and vice versa. And before I let both of you go, any final tips for our viewers at home who are whether property investors or certainly who are landlords who do, of course, manage people's data, any final tips you'd like to give to them in terms of handling various people's data, especially bearing in mind that we now have a the puppy act that's in effect that perhaps some people didn't have the full understanding of, especially what the legal repercussions are in the event that they don't comply. I think to keep it very simple for people is in a space where you are interacting with people and they are giving you any kind of information about themselves. You probably were definitely moving into the the sphere of the puppy act and to realize that you're moving into that space and that saying that that that you just mentioned, you know, to do what you say. And what did you say you're going to do with this information? Well, I need to verify, for example, your income to see if you are eligible to rent an apartment for us. Do that, but then there comes a time when that person might not be the successful candidate and then you need to discard that information because you don't need to hang on to it. And I think just being aware of number one, when you're moving into that space and number two, what are you collecting and why are you collecting it? Because you then might move into a time when what you've collected, you don't actually need anymore. Gentlemen, we're going to leave it right there. I think it is certainly one of those important things as property investors that we always need to be mindful of, especially when it comes to people's data that we often handle. And I think more than anything, it's the legal repercussions that would essentially that would be, you know, subject to in the event that you don't adequately handle people's data. Jean-Jacques, Dan, thank you so much. And Jansen, thank you both for joining us this evening. Thank you, Zama. Thank you very much. And that's it for this evening's episode of the Private Property Podcast. I think data is one of those things that we often forget about. And often or more often than not, you probably start thinking about it the moment it starts negatively affecting you. I know a lot of people who start, you know, being extra vigilant as soon as their identity has been stolen and somebody has gone up and sort of bought a million and won things on credit. But of course, we do not want to get it there. So if you're a property investor or a landlord and you are handling somebody's data, be sure that you have the correct security measures and you handle that data with extra caution is certainly for those of us who are buying property or want to be tenants, make sure that you give the right data at the right time and be as safe as possible when you share your data with different stakeholders. Well, folks, that's it for us from us rather on the Private Property Podcast. We're back again tomorrow. You certainly do not want to miss it. And as usual, hoping you stay home and stay safe.