POPI Act compliance and how it compares to GDPR
The Protection of Personal Information Act 4, of 2013, also referred to as the POPI Act, is South Africa’s privacy and data protection regulation. The Act provides guidelines for organizations that process personal information, with the purpose of protecting the public from the harmful consequences of identity theft. It also enables the imposing of penalties on organizations that fail to safeguard personal information.
The Act was introduced and partially enacted in 2013, in order to establish the Information Regulator, a body initially tasked with drafting detailed regulations and codes of conduct. In June 2020, the Act was fully enacted, providing a grace period for organizations to work towards compliance by 1 July 2021.
The information regulator now has the legal mandate to investigate data privacy and protection issues and impose fines and other penalties on those guilty of failing to comply with the provisions of the Act.
What information does South Africa’s privacy and data protection regulation Act protect?
It protects personal information, which means any information relating to an identifiable, living, natural person or where applicable, an identifiable, the existing juristic person (companies, CCs, etc.) and includes, but is not limited to:
- Contact details: such as email addresses, telephone numbers, physical addresses;
- Demographic information: such as age, sex, race, ethnicity;
- Information relating to the education or medical, financial, criminal, or employment history of the person;
- Biometric information: such as fingerprints;
- The personal opinions, views or preferences of the person;
- The views or opinions of another individual about the person;
- Private correspondence sent by the person or further correspondence that would reveal the contents of the original correspondence;
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Certain information, such as biometrics and religious beliefs, is further categorized as ‘special personal information’ and is subject to additional processing restrictions.
When do the provisions of the Act apply?
The Act seeks to establish the right of individuals in South Africa to expect a level of privacy and control when it comes to their own personal information. It also protects juristic persons, meaning the information relating to a company or close corporation.
The Act does not stop organizations from processing personal data in the normal course of business. It does, however, place obligations on the organization relating to measures it must take to safeguard personal information and to restrict processing that is outside of the purpose for which the data was supplied.
In summary, the Act forces companies that process (collect, store or share) information about data subjects (individuals or companies) to ensure they do so in a way that protects the privacy and security of that information. It also gives the data subject more control through the right to submit a query about how their personal information is used by an organization and have that query resolved.
POPI Act (POPIA) vs GDPR: Similarities and differences
For organizations that are already compliant with the EU’s General Data Protection Regulation, the good news is that the GDPR and POPIA are simply different flavors of data protection laws. The POPI Act is closely aligned to the original version of the GDPR, albeit with some differences, such as in the following definitions:
|The party who decides the purpose and the means of processing a data subject’s personal information||Controller||Responsible Party|
|A party that processes personal information on the instructions of the controlling entity||Processor||Operator|
|Organizations to appoint a responsible person||Data Protection Officer (law requires an appointed DPO in both Controller and Processor)||Information Officer (law requires an appointed officer only in Responsible Party)|
|Definition of data subject||Natural persons||Both living natural persons and existing juristic persons|
|Territory||European Economic Area||South Africa|
The principles and intentions of the two regulations are similar:
- Keep personal information safe
- Know what to do when there’s a data breach
- Appoint people that hold responsibility for data privacy
- Only process data for the purpose for which it was originally provided
However, it’s important to note the differences in some obligations, such as the entities that are answerable under the regulations:
- GDPR says “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”.
- POPIA says “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures”.
The primary difference in the above is that GDPR places obligations on both the controller AND processor, while the POPI Act only places obligations on the responsible party, and leaves the obligations of the operator to be decided between the parties.
What GDPR compliant SA companies need to know
Even if a company is GDPR compliant, it doesn’t mean that it automatically complies with the POPI Act. Certain POPI Act obligations will require amendments to policies and procedures, such as:
- The GDPR only protects individuals, whereas the POPI Act also protects the information of juristic persons (companies or other legal entities)
- The EU regulator can impose fines under GDPR, whereas the SA regulator can impose fines AND jail sentences on guilty parties, which increases the personal risk of company directors and officers
- GDPR requires only certain companies to appoint a DPO, whereas the POPI Act requires that every organization has an information officer
On the plus side, a company that is GDPR compliant will have developed and implemented many policies and procedures that are not mandatory under the POPI Act, but that remain best practice for any organization that processes protected information. For example, conducting data protection assessments and allowing audits/inspections are a requirement under GDPR, but not under the POPI Act. Having said that, an organization will battle to take appropriate and reasonable technical measures to protect data if they do not routinely conduct data protection assessments.
Keep an eye on your inbox for my next post in this three-part blog series, in which I will look at the role players, categories of data subject and operators.