POPI vs GDPR
Data protection has recently become a popular topic, and as the world becomes more sensitive to the protection of personal information, and the associated risks in the event of a breach, countries are creating and developing various legislations and protocols to counteract these risks.
One of the most prominent and successful data protection legislation is the European Union General Data Protection Regulation (“GDPR”). Many recall when the GDPR came into effect, that their inboxes were flooded with mails requesting subscribers to agree to new terms and conditions in terms of the GDPR, and accordingly, the GDPR was brought to the forefront of data protection.
Locally, the Protection of Personal Information Act (“POPI”) is set to be fully enacted on 1 July 2021, and there are accordingly many questions around its contents and implementation, as well as whether being POPI compliant will result in GDPR compliant.
The basis of both the GDPR and POPI are certain principles for lawful processing, with the GDPR having 7 such principles, and POPI having 8. These principles help guide data subjects as well processors as to how to ensure openness and transparency with regards to how and why data is collected and stored, how data subjects can participate in ensuring compliance, and how data breaches are dealt with.
There are substantial similarities between the two pieces of legislation, however, there are also some distinct differences, which we will touch on within this article.
It is important to understand these differences as your organisation may be required to sign documentation that references either or both of these legislations, with many local organisations that are part of a global group requiring their suppliers and clients to perform Data Protection Impact Assessments in terms of the GDPR. The local Information Regulator has agreed with the European Commission that it will locally enforce any breaches of the GDPR, and therefore local companies should not believe that distance from Europe protects them from liability.
It is generally accepted that being GDPR compliant will result in POPI compliance, however, there are certain nuances that South African organisations need to be aware of. South Africa does not yet have an adequacy decision from the European Commission, which would allow for a free flow of data between South Africa and Europe, deeming South Africa “safe” and having data protection legislation that is equal to the GDPR. It is presumed that once POPI is formally enacted that this adequacy decision will be granted.
Some of the most pertinent differences between the two pieces of legislation are highlighted below:
STANDARD | POPI | GDPR |
Application | Personal information processed in SA | Personal information of all EU citizens, regardless of jurisdiction |
Persons | Natural and juristic (companies, trusts) | Natural only |
Roles | Responsible party and Operator |
Data Controller and Processor Joint responsible parties, third parties and recipients |
Penalties | 10 years imprisonment and/or up to R10m | EUR 20m / up to 4% global turnover |
Official | Information Officer to be appointed and registered with Information Regulator | Data Protection Officer for certain organizations. Each jurisdiction has its own regulatory enforcement body |
Breach notifications | “As soon as reasonably possible” | Reports of a breach must be made within 72 hours of knowledge of the breach |
Data portability | Data subject access request- a record or description of personal information must be given “in a reasonable manner and format and in a form that is generally understandable” | The right for a data subject to receive their data in a “structured, commonly used, machine readable and interoperable format and the right to transmit that data to another controller” |
Right to be forgotten | POPI only allows for deletion of inaccurate, irrelevant, excessive, out-of-date, incomplete, or misleading data, or data that was obtained unlawfully | THE GDPR specifically references a data subject’s right to be forgotten so that their data is permanently deleted. |
Whilst there are some differences between the drafting, application and implementation of the two pieces of legislation, the purpose and intent behind both POPI and the GDPR is inherently the same, namely, the creation of a uniform manner in which the collection, storing and processing of data is regulated to ensure protection for all data subjects.