The South African Protection of Personal Information Act (POPIA) aims to give the citizens of South Africa more control over their data and requires any organization that processes personal information in South Africa to protect that data. The POPIA is focused on data protection rights for data subjects, which took effect on July 1, 2020, as the President of South Africa declared that POPIA enforcement will take place on July 1, 2021.
The POPIA is comparable to the European Union (EU)’s General Data Protection Regulation (GDPR) and derives from many of the foundational principles. It consists of granting its citizens specific rights over their personal information, requirements for data processing, defining personal information for end-user protection, fines for privacy violations, and the formation of the Information Regulator (SAIR) to enforce and monitor the new laws.
For many organizations operating within and outside of South Africa, understanding the differences and similarities will be essential to adequate preparation and compliance.
There are key similarities and differences between POPIA and GDPR:
Getting Personal with PII (POPIA Personal Data vs. GDPR Personal Data)
- POPIA applies to the personal data of any individual—regardless of their nationality. So while the GDPR is only designed to protect EU citizens, the POPIA covers anyone whose personal data is processed within South African territory or by a South African undertaking.
- While both POPIA and GDPR split the definition of data into personal information and special personal information (or sensitive data in the GDPR), POPIA also assigns criminal offenses to vulnerable information.
- Both the POPIA and GDPR outline only very general data security requirements by merely stating you must implement appropriate technical and organizational measures to protect personal data in your possession.
- POPIA requires all companies and organizations to appoint an Information Officer (automatically assigned to the CEO), who’s role and responsibilities differ in important areas from the GDPR’s Data Protection Officer. In addition, POPIA also requires companies and organizations to appoint a Deputy Information Officer.
- The POPIA procedure for reporting a data breach is similar to GDPR—where, in general, you must notify both the relevant regulatory body and the individuals affected by the breach.
- The POPIA states that you must do this as soon as reasonably possible after becoming aware of the breach. However, GDPR requires you to notify your supervisory authority within the limited time period of 72 hours.
Penalties: POPIA vs. GDPR
- The financial penalty for a POPIA infringement can range up to $10 million ZAR (South African rands), which is significantly lower than a potential GDPR fine, which can reach up to €20 million or 4% of annual global turnover.
- In comparison, GDPR sanctions focus more directly on non-compliance. Nevertheless, when setting a fine, European enforcement authorities may still consider the degree of cooperation and demonstrability an organization shows during their investigations.
- Under South African legislation, individuals can be held criminally responsible and sentenced to prison for up to 10 years in more severe cases. POPIA sanctions apply to non-compliance and a range of other offenses, including hindering, obstructing, or unlawfully influencing enforcement officials failing to attend court hearings lying under oath.
Preparing for POPIA
Do you have a data footprint in South Africa? Many organizations have already made the necessary adjustments to comply with existing global regulations such as CPRA, CDPA, LGDP, and GDPR. Regardless, it’s essential to apply a proactive privacy strategy for compliance with POPIA’s distinct requirements and integrate with existing privacy regulation instead of being in a reactive state.