South Africa’s Protection of Personal Information Act of 2013 (POPIA) officially came into effect on July 1, 2020, but organizations were given until July 1, 2021 before enforcement is in place. The good news about compliance with this regulation is that if your organization already did the work to comply with the General Data Protection Regulation (GDPR), then you are well on your way to meeting the requirements for POPIA. Let’s take a look at some of the high-level differences and similarities between POPIA and GDPR.
Note: This blog post is intended to provide an overview of POPIA and should not be construed as legal advice. We suggest you consult an attorney to understand how POPIA affects your company and how to ensure your compliance.
Difference #1: Jurisdiction
|POPIA applies to companies that are based in South Africa OR process personal data in South Africa. The data processed is not limited to the citizens or residents of South Africa.
||GDPR applies to any organization, globally, that processes data of EU residents.
Difference #2: Applicability
|POPIA applies to the personal data of natural persons (people) or juristic persons (companies/organizations).
||GDPR applies to the personal data of natural persons (people).
Difference #3: Data Protection Officers
|POPIA requires all organizations to have and register an Information Officer. If an organization does not have an appointed Information Officer, then it defaults to the CEO or other head of the organization.
||GDPR requires an organization to have a Data Protection Officer if they are a public body, if they participate in regular and systematic monitoring of data subjects on a large scale, or if they process a large amount of sensitive personal data.
Difference #4: Data Collection Directly from Data Subjects
|POPIA allows for data collection directly from the data subject and for the collection of data from the public sphere if data subjects have explicitly made their data publicly available.
||GDPR provides rights to the data subject for the scenario when the data is collected directly from the data subject and when the data is collected not directly from the data subject.
As we mentioned at the beginning of this post, POPIA and GDPR share many similarities. If you are compliant with GDPR already, you are most likely prepared to be compliant with POPIA, but you will still want to review the new regulation’s requirements in detail.
- Both laws share a set of principles around transparency, limitations on data collection and processing, data integrity, and data security.
Data Subject Access Rights
- Both laws give data subjects rights so these subjects know when their data is being processed, have access to their personal data, have the ability to correct or delete their data, have the right to object to processing and direct marketing, have the right to lodge a complaint, have the right to not be subject to automated decision making, and have the right to a civil proceeding brought on their behalf by a regulator/authority.
- Both POPIA and GDPR require that an organization must reply to or resolve a data subject access request within 30 days, but POPIA does allow for extensions to be requested for compelling reasons such as legal delays.
Data Breach Notification
- Both laws require data breach notifications to the authority and the data subjects.
- One difference to note, POPIA says that the reporting of the breach must happen as soon as reasonably possible where GPDR has a stricter timeline of 72 hours.
- Both laws restrict data transfers to other countries unless one of the exceptions is met.
- The list of exceptions is similar and include that the other country has an adequate level of protection, the data subject has given consent, or the transfer is necessary to fulfill a contract, etc.
Enforcement and Penalties
- Both laws include multiple avenues for enforcement and penalties including fines.
- One difference to note is that POPIA allows individuals to be imprisoned if convicted.
You can learn more about POPIA here.
A big thank you to Simoné Deyzel at our partner Azuro for her contributions to this post.