Are we compliant?

What about GDPR and POPIA?

With the Protection of Personal Information Act (POPIA) coming into effect on 1st July 2021, there has (understandably) been a lot of uncertainty and questions around what POPIA actually means from a cold email prospecting and demand generation perspective — so we’d like to put your mind at ease.


Based off legal consultation, there are really only two instances that are relevant to prospecting:

  1. Direct consent: when personal information obtained by third parties is publicly available, direct consent is not required in terms of POPIA. Our primary focus has always been on sourcing and using data that’s in the public domain.
  2. Third party use: where we need specific data, or we’re unable to find relevant data that’s readily available in the public domain, we purchase data from providers. We follow rigorous checks to establish that the third party obtained the personal information fairly, lawfully, with consent and that the data subjects understood their details would be passed on for marketing purposes.

Looking at the EU for guidance: GDPR

We have further precedent from the General Data Protection Regulation (GDPR); which is the EU’s version of POPIA, that also forms the basis of our compliance efforts.

The GDPR requires a ‘lawful basis’ for processing data. For us, the lawful basis under which we collect and process data falls within the definition of: ‘legitimate interest’:

  1. the content is of clear benefit to the business / prospect that we’re targeting;
  2. there is limited privacy impact on the individual i.e. no personal data is processed, only data that is publicly available; and
  3. the individual would reasonably expect their data to be used in this way.

As such, each of SHS’s email campaigns are hyper-targeted: we only send emails to potential prospects where we can define the legitimate interest of that communication; and we have specifically obtained data from public sources available on the open web, including LinkedIn, Google, social media profiles & news articles. Examples of this include targeting a prospect based on their industry or job title, knowing that the data used is from publicly listed sources; that what the email is positioning provides real value; and can be proved through a track-record of success.

In addition, we ensure that:

  • a clear and readily accessible Privacy Policy is available, which states that we rely on legitimate interest for marketing purposes;
  • a clear way for prospects to opt out of marketing communications is included in each email, in the form of an opt-out link;
  • any person who chooses to ‘opt out’ or ‘unsubscribe’ (be it through the opt-out link or requested by way of reply) is immediately removed from any campaign-related database, and is not contacted again. This includes removing them from profiling activities, as well as direct communication;
  • we comply with all legal and ethical standards – we never spam; we mimic natural sending behaviour by keeping communication natural and at a cadence that one would expect when an individual is prospecting manually;
  • the content of all emails typically focus on niche markets, and is always relevant to the role / job title of the prospect, and as such can be defined as of ‘legitimate interest’ to persons in that market, with that role / job title;
  • the nuisance factor of unwanted or overly frequent marketing messages is taken into consideration; and cadence set accordingly;
  • we document our own assessments of how legitimate interest applies to our campaigns and can justify these decisions where (and if) necessary.

Shall we talk? Shall we talk?

Superhuman Sales Shall We Talk Sun
Superhuman Sales Fist White