GDPR vs POPIA. How do they compare? The key is to identify the differences and similarities between the GDPR and the POPI Act. For example, who needs to comply with them, do they both apply to the same data subjects, do they both require a data protection officer? Europe’s data protection law, the General Data Protection Regulation (or GDPR) came into operation on 25 May 2018. South Africa’s data protection law, the Protection of Personal Information Act (POPIA) was enacted in 2013, commenced on 1 July 2020 and came into operation on 1 July 2021.

What does the GDPR mean for POPIA? Must you comply with both of them? And, if you do, does POPIA create any extra compliance requirements for an organisation beyond what the GDPR requires? What happens if there is a conflict between them? And if you have been busy with a POPI Act compliance programme or project, what should you be doing differently? If you have a mature GDPR compliance programme, what should you be doing to also comply with POPIA? Which one should you be doing first?

Many organisations have undertaken significant work to comply with the GDPR and now seek to understand what specific actions they need to take to also comply with POPIA.

The GDPR vs POPIA debate: Flavours of the same thing?

The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are quite similar to each other. Obviously, when South Africa enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be significantly different from POPIA, necessitating substantial changes to POPIA by the South African Parliament. The GDPR is more of an update to data protection law, rather than a complete overhaul. There is much debate about whether this is a good thing and whether the GDPR protects data privacy in the data-centric world we live in.

They are similar but there are some essential differences

However, for those who have already taken significant steps to comply with POPIA or the GDPR, this is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.

For those of you who have not started, focus on GDPR first and not POPIA. You first need to work out whether you need to comply with the GDPR. If you do, focus on the GDPR first and then later move on to the POPI Act.

The POPI Act must be brought in line with the GDPR

Considering the EU is one of South Africa’s largest trading partners, South Africa should align POPIA more closely with the GDPR. This could be achieved by Parliament amending POPIA or the Information Regulator interpreting it in line with the GDPR, or by publishing Regulations that align with the GDPR. We think it is unlikely that Parliament will amend POPIA, and the POPIA Regulations don’t change the position much, so it will be up to the Information Regulator to do it over time.

Do their timelines overlap?

No. The GDPR came into force on 24 May 2016 and the two-year grace period ended on 25 May 2018. The POPIA commencement date was on 1 July 2020, with a 12-month grace period running from that date. This means that their timelines don’t overlap. The GDPR deadline was 25 May 2018. The POPIA deadline was 1 July 2021.

You might have to comply with the GDPR

Some organisations outside the EU still need to comply with the GDPR. The GDPR applies to any data processing activities done by a controller (called a responsible party under POPIA) in the EU. It also applies to all processing of personal data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour, they will likely be required to comply with the GDPR. Find out whether you must comply with the GDPR.

Who needs to comply with POPIA?

Every public or private body in South Africa. In addition, any organisation outside South Africa that processes personal information in South Africa must comply with the POPI Act.

How are they the same

They share many similarities. Most of the definitions are close – you have an information officer and a data protection officer – a controller and a responsible party. The conditions or principles are also similar. The problem is that they are slightly different in some very important ways. For example, regarding security:

  • GDPR says “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”.
  • POPIA says “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”.

Which one do you follow?

How are they different

The GDPR does not protect legal entities. It also does not create such severe penalties for failing to protect an account number. It exempts some SMEs from having to keep records. SMEs can find a useful infographic for SMEs on the website of the European Commission. The GDPR also makes it obligatory for only some organisations to have a data protection officer, while POPIA provides that every organisation has an information officer by default. And the GDPR deals with the right to be forgotten and data portability. The GDPR has a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR but there are no criminal offences in the GDPR.

You must take a global view

There is a good chance that you will need to comply with multiple data protection laws (like the GDPR and POPIA). This is why it is essential to take a global view and comply with what is common among them.

  1. Empower yourself with practical knowledge by booking practical legal training.
  2. Comply with data protection law by joining our data protection programme and working through the POPI lens.

Get the GDPR POPIA comparison report

We have drafted (and continually update) a GDPR and POPIA Comparison Report, which compares the two laws. The report will help you to see the key differences between the two (differences that create extra compliance requirements) and help you to:

  • implement better programmes to protect personal information or data,
  • comply with both laws,
  • fit your POPIA compliance effort in with your global data protection compliance programme,
  • comply with a local data protection law after you’ve complied with the GDPR without redoing much of the things you’ve already done, or
  • avoid having to do things twice.

There are two ways for you to get the report.

  1. You can buy the report for a once-off fee.
  2. Members of our data protection programme get the report as part of their subscription.

The difference between data privacy, data protection and POPI

They are all synonyms and essentially mean the same thing. The United States generally uses the term data privacy, whilst most of the rest of the world uses the term data protection. A few countries (like South Africa) use “protection of personal information” rather than data protection, but they are essentially the same thing.