On 1 July 2020, the Protection of Personal Information Act (POPIA) finally came into force in South Africa. Regulations like POPIA and Brazil’s LGPD are part of the growing trend of data privacy legislation following the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Most sections of the act are now officially law. But compliance isn’t mandatory until the remaining part of the legislation—which grants enforcement powers to South Africa’s new regulatory authority the Information Regulator—comes into effect on 1 July 2021. This means that, if your organization is subject to the POPIA, you only have a few months left to comply.
In this post, we give you a brief introduction to the new legislation and help you decide whether your company comes within the scope of the law. We’ll also guide you through the main differences and similarities between the POPIA and its European counterpart, the GDPR.
The POPIA is the latest in a succession of new data protection laws aimed at strengthening the privacy rights of individuals in today’s data-driven landscape.
The law was ratified in November 2013—several months before the EU voted to adopt the GDPR. But progress subsequently stalled for several years until the South African government finally gave it the green light in 2020.
Despite its slightly earlier origin, the POPIA is still very similar to the GDPR, sharing much the same guiding principles, including accountability, transparency, security, data minimization, purpose limitation and the rights of data subjects.
In general, unless your organization is based in South Africa, it’s unlikely you’ll need to comply. But if you’re a large-scale enterprise the answer isn’t quite so simple.
This is because the scope of the POPIA is different from other new data protection laws, where what matters is the location of processing rather than the location of the data subject.
For example, the GDPR applies to any organization that processes personal information about European Economic Area (EEA) citizens regardless of where it’s based in the world.
There is a major difference when it comes to compliance with POPIA: South Africa’s data privacy regulation only applies to companies based in South Africa or those that process personal data within South African borders. So, to check whether you need to comply, you’ll need to find out exactly where you’re processing personal data. This should include the whereabouts of not only your on-premises data centers but also your cloud-based deployments.
However, you may have a data footprint in South Africa that is not immediately apparent. Your cloud infrastructure will likely be the deciding factor for whether or not the South Africa data protection law applies to your company: both AWS and Microsoft Azure now have cloud regions in South Africa. So your company could very well be using them in a bid to bring your data closer to African customers.
In terms of how it defines personal data, the POPIA is more extensive than the GDPR, as it covers not only the information you collect about individuals but also about companies and other types of organizations.
This is a significant departure from other data privacy laws. So it’s not yet clear how exactly it will work in practice. However, as your first step to compliance, you should reflect the new legal requirements in your contracts with partners, suppliers, and vendors.
As with the GDPR, the POPIA classifies a separate subcategory of personal data, known as special personal information, which is more sensitive and therefore subject to stricter requirements. This mainly relates to an individual’s:
In addition, the POPIA applies to the personal data of any individual—regardless of their nationality. So while the GDPR is only designed to protect EU citizens, the POPIA protects anyone whose personal data is processed within South African territory or by a South African undertaking.
Unlike the GDPR, you don’t generally need to seek consent to collect an individual’s personal information. However, you must still do so where you collect any type of special personal information.
Specific consent rules also apply to collection of data about children, aged 17 and under, where you normally need the consent of a competent person, such as a parent or guardian.
In addition, you may only process personal data for direct marketing (by email, telephone or SMS) where the data subject is a customer or has given their consent to processing.
However, you must give customers a reasonable opportunity to object to processing if they wish. And, as with the GDPR, your communications should include details on how to opt out of your marketing list.
Similar rules to the GDPR also apply regarding transparency. This basically means that, wherever you collect personal data about individuals, you must be upfront about:
As with the GDPR, the most practical way of providing this information is to incorporate it into your online privacy policy.
Even though you don’t necessarily need consent to collect personal data, you must still meet all other POPIA conditions for lawful processing.
These share much in common with other new data protection laws, such as similar requirements for data security, data transfer and rights of access.
However, you’ll need to be aware of one distinctly different condition where, in all but a few certain circumstances, you may only collect data directly from the data subject.
Both the POPIA and GDPR outline only very general data security requirements by merely stating you must implement appropriate technical and organizational measures to protect personal data in your possession.
This basically allows you to tailor security measures to the nature of the personal data you process, impact level of a potential breach and cost of implementation.
Neither law really goes into any further detail—although the POPIA does mention you should give due regard to generally accepted security practices and procedures.
In general, the POPIA and GDPR prohibit transfers of personal data outside of South Africa and the EEA respectively.
However, in the case of the POPIA, cross-border transfers are permitted to a third party that is subject to legal or corporate data protection rules substantially similar to its own.
The GDPR works on similar lines, where international transfers are only permitted to specific countries with legal frameworks that provide adequate protection of personal data. As a country with state-by-state data privacy laws, the US doesn’t currently provide such protection. So, currently, the European Commission will only allow transfers that are covered by the EU-US Privacy Shield framework.
Under both laws, certain types of transfer are exempt from the conditions, such as when an individual has consented to the transfer or where the transfer is necessary to fulfill a contract.
The POPIA grants data subjects similar rights of access, correction and erasure as the GDPR. Under both laws, citizens may request, free of charge, confirmation of whether or not you process their personal information.
But, unlike the GDPR, the POPIA allows you to charge a fee for providing individuals with a copy of the information you hold about them. If you choose to do so, you must give a written estimate of the cost before you provide the service.
The POPIA only states that you must respond to any such request within a reasonable time. The GDPR, on the other hand, is more specific—where, under normal circumstances, you must respond to a data subject access request (DSAR) without delay and within a month at the latest.
The POPIA designates the role of information officer with similar responsibilities to those of a data protection officer (DPO) under the GDPR.
But, whereas a DPO is only mandatory for public sector bodies and private companies that process data at scale, all organizations that come within the scope of the POPIA must appoint an information officer. In the absence of a formal appointment, the role of information officer falls to the head of your organization—usually the chief executive officer (CEO).
The POPIA procedure for reporting a data breach is very much like that of the GDPR—where, in general, you must notify both the relevant regulatory body and the individuals affected by the compromise.
The POPIA simply states you must do this as soon as reasonably possible after becoming aware of the breach. However, the GDPR specifically requires you to notify your supervisory authority within 72 hours.
At R10 million, the maximum financial penalty for a POPIA infringement is significantly lower than a potential GDPR fine, which can reach up to €20 million or 4% of annual global turnover. However, under South African legislation, individuals can be held criminally responsible and sentenced to prison for up to 10 years in more serious cases.
What’s more, POPIA sanctions not only apply to non-compliance but also a range of other offenses, which include:
By contrast, GDPR sanctions focus more directly on non-compliance. Nevertheless, when setting a fine, European enforcement authorities may still consider the degree of cooperation an organization shows during their investigations.
POPIA vs GDPR: Four Key Differences |
||
|
POPIA |
GDPR |
Territorial scope |
Restricted to organizations that are either based or process personal data in South Africa |
Global |
DSAR response times |
Within a reasonable time period |
Generally within a month |
Breach notification deadline |
As soon as reasonably possible |
Within 72 hours |
Maximum penalties |
R10 million fine or 10 years’ imprisonment |
4% of global annual revenue or €20 million, whichever the higher |
Find out more about how POPIA compares to data privacy legislation around the world in this new guidebook.
And to ensure you stay in line with data privacy legislation around the world, try NetApp cloud Compliance, free for up to 1 TB of data.