https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Press Office / Webber Wentzel RSS ← Back
Africa|Business|SECURITY|Services
Africa|Business|SECURITY|Services
africa|business|security|services
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Verification Image. Please refresh the page if you cannot see this image.

Sponsored by

Close

Article Enquiry

POPIA, GDPR – or both?

Verification Image. Please refresh the page if you cannot see this image.
Close

Embed Video

POPIA, GDPR – or both?

30th November 2020

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

Businesses that have taken steps to comply with the General Data Protection Regulation passed by the EU will also have to be compliant with South Africa’s Protection of Personal Information Act by July 2021. Compliance with one, does not ensure compliance with the other.

Most people have heard about the Protection of Personal Information Act (POPIA​) and the General Data Protection Regulation (GDPR), but you may still be wondering what the differences are between the two. If your business already complies with the GDPR, what more do you have to do to become POPIA-compliant?

Advertisement

The deadline to comply with the GDPR was 25 May 2018. South African businesses have until 30 June 2021 to become POPIA-compliant. After that date, any business that intentionally or accidentally breaches data confidentiality could be liable for a fine of up to ZAR10 million or imprisonment for up to 10 years, or both. The reputational consequences of a data breach could be even more costly.

Below, we set out the key similarities and differences between POPIA and the GDPR and provide some insight into why you should be interested in both and what your approach should be to ensure compliance with both.

Advertisement

The application of POPIA and the GDPR laws

POPIA applies to the processing of personal information in South Africa which has been entered into a record by or for a "responsible party". A responsible party includes public or private bodies or any person, alone or in conjunction with others, that determines the purpose and means for processing the personal information.

The GDPR is the privacy and security law passed by the European Union (EU) which applies to data "controllers" and "processors" that are:

  • established in the EU; and
  • established outside the EU but offering goods or services to data subjects in the EU or monitoring the behaviour of EU data subjects.

Similarities and differences between POPIA and the GDPR

POPIA and the GDPR are very similar. They share key concepts such as "personal information" (POPIA), "personal data" (GDPR) and "data subject". In both pieces of legislation, personal information/data is information relating to natural persons, ranging from race, gender and age to religious and political opinions. Data subject refers to any natural person to whom the personal information/data relates.

However, it is important to note that POPIA's definitions for personal information and data subject are broader than the GDPR’s. POPIA’s definition extends to juristic persons as well.

Another key difference between the application of POPIA and the GDPR is that POPIA focuses on where the personal information is processed (it must be processed in South Africa for POPIA to apply), while the GDPR applies extra-territorially. Under the GDPR, even if a data controller or processor of personal information is based outside the EU, the GDPR will apply if the controller or processor handles the personal information of a data subject within the EU.

POPIA and the GDPR both provide data subjects with extensive rights in dealing with their personal information, including rights to access it, to object to the processing of personal information for the purpose of direct marketing or to request the correction, destruction or deletion of the personal information.

The GDPR, however, provides an extra right to data subjects to access their data in a structured, commonly used, machine-readable format and a right to the transmission of their data directly from one controller to another without hindrance.

Next steps

Whether you are planning to take steps to becoming POPIA- or GDPR-compliant, it would be efficient and beneficial to do both at the same time, given their similarities and the global applicability of the GDPR provisions.

If you are already GDPR-compliant, it makes sense to get experts to perform a GDPR POPIA compliance audit to determine what other steps your business needs to take to comply with POPIA and save the trouble and expense of duplication.

Feel free to reach out to us to assist with guiding your organisation towards compliance.

Written by Karl Blom, Senior Associate & Ekene Nkado, Candidate Attorney at Webber Wentzel

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options
Free daily email newsletter Register Now