Businesses that have taken steps to comply with the General Data Protection Regulation passed by the EU will also have to be compliant with South Africa’s Protection of Personal Information Act by July 2021. Compliance with one, does not ensure compliance with the other.
Most people have heard about the Protection of Personal Information Act (POPIA) and the General Data Protection Regulation (GDPR), but you may still be wondering what the differences are between the two. If your business already complies with the GDPR, what more do you have to do to become POPIA-compliant?
The deadline to comply with the GDPR was 25 May 2018. South African businesses have until 30 June 2021 to become POPIA-compliant. After that date, any business that intentionally or accidentally breaches data confidentiality could be liable for a fine of up to ZAR10 million or imprisonment for up to 10 years, or both. The reputational consequences of a data breach could be even more costly.
Below, we set out the key similarities and differences between POPIA and the GDPR and provide some insight into why you should be interested in both and what your approach should be to ensure compliance with both.
The application of POPIA and the GDPR laws
POPIA applies to the processing of personal information in South Africa which has been entered into a record by or for a "responsible party". A responsible party includes public or private bodies or any person, alone or in conjunction with others, that determines the purpose and means for processing the personal information.
The GDPR is the privacy and security law passed by the European Union (EU) which applies to data "controllers" and "processors" that are:
- established in the EU; and
- established outside the EU but offering goods or services to data subjects in the EU or monitoring the behaviour of EU data subjects.
Similarities and differences between POPIA and the GDPR
POPIA and the GDPR are very similar. They share key concepts such as "personal information" (POPIA), "personal data" (GDPR) and "data subject".
In both pieces of legislation, personal information/data is information relating to natural persons, ranging from race, gender and age to religious and political opinions. Data subject refers to any natural person to whom the personal information/data relates.
However, it is important to note that POPIA's definitions for personal information and data subject are broader than the GDPR’s. POPIA’s definition extends to juristic persons as well.
Another key difference between the application of POPIA and the GDPR is that POPIA focuses on where the personal information is processed (it must be processed in South Africa for POPIA to apply), while the GDPR applies extra-territorially. Under the GDPR, even if a data controller or processor of personal information is based outside the EU, the GDPR will apply if the controller or processor handles the personal information of a data subject within the EU.
POPIA and the GDPR both provide data subjects with extensive rights in dealing with their personal information, including rights to access it, to object to the processing of personal information for the purpose of direct marketing or to request the correction, destruction or deletion of the personal information.
The GDPR, however, provides an extra right to data subjects to access their data in a structured, commonly used, machine-readable format and a right to the transmission of their data directly from one controller to another without hindrance.
Whether you are planning to take steps to becoming POPIA- or GDPR-compliant, it would be efficient and beneficial to do both at the same time, given their similarities and the global applicability of the GDPR provisions.
If you are already GDPR-compliant, it makes sense to get experts to perform a GDPR POPIA compliance audit to determine what other steps your business needs to take to comply with POPIA and save the trouble and expense of duplication.
Feel free to reach out to us to assist with guiding your organisation towards compliance.