It seems the age-old GDPR vs POPIA debate is still raging. How do they compare, you ask? The key is to find out what the differences and similarities are between the GDPR and the POPI Act. For example, the deadline for the General Data Protection Regulation (or GDPR) was 25 May 2018. South Africa’s data protection law, the Protection of Personal Information Act (POPIA) was enacted in 2013, commenced on 1 July 2020 and came into operation on 1 July 2021.

What does the GDPR mean for POPIA? Must you comply with both of them? And, if you do, does POPIA create any extra compliance requirements on an organisation in addition to what the GDPR requires? What happens if there is a conflict between them? And if you have been busy with a POPI Act compliance project, what should you be doing differently? If you have been busy with a GDPR compliance project, what should you be doing to also comply with POPIA? Which one should you be doing first?

The GDPR vs POPIA debate: Flavours of the same thing?

The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South Africa enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that the South African Parliament would need to change POPIA significantly. The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the data-centric world we live in.

But for those who have already done much to comply with POPIA or the GDPR, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.

For those of you who have not started, focus on GDPR first and not POPIA. You first need to work out whether you need to comply with the GDPR. If you do, focus on the GDPR first and then later move on to the POPI Act.

The POPI Act must be brought in line with the GDPR

Considering the EU is one of South Africa’s biggest trading partners, South Africa will have to bring POPIA more in line with the GDPR. This could be done by Parliament amending POPIA or the Information Regulator interpreting it in line with the GDPR or publishing Regulations that are in line with the GDPR. We think it is unlikely that Parliament will amend POPIA and the POPI Regulations don’t change the position much, so it will be up to the Information Regulator to do it over time.

Do their timelines overlap?

No. The GDPR came into force on 24 May 2016 and the two-year grace period ended on 25 May 2018. The POPIA commencement date was on 1 July 2020, with a 12-month grace period running from that date. This means that their timelines don’t overlap. The GDPR deadline was 25 May 2018. The POPIA deadline was 1 July 2021.

You might have to comply with the GDPR

The GDPR applies to any data processing activities done by a controller (called a responsible party under POPIA) in the EU. It also applies to all processing of personal data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will likely be required to comply with the GDPR. Find out whether you must comply.

How they are the same

They are the same in many ways. Most of the definitions are close – you have an information officer and a data protection officer – a controller and a responsible party. The conditions or principles are also similar. The problem is that they are slightly different in some very important ways. For example, regarding security:

  • GDPR says “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”.
  • POPIA says “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”.

Which one do you follow?

How they are different

The GDPR does not protect legal entities. It also does not create such serious penalties for failing to protect an account number. It exempts some SMEs from having to keep records. SMEs can find a useful infographic for SMEs on the website of the European Commission. The GDPR also makes it obligatory for only some organisations to have a data protection officer, while POPIA provides that every organisation has an information officer by default. And the GDPR deals with the right to be forgotten and data portability. The GDPR has a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR but there are no criminal offences in the GDPR.

You must take a global view

There is a good chance that you will need to comply with multiple different data protection laws (like the GDPR and POPIA). This is why it is important that you take a global view and comply with what is common among them.

  1. Empower yourself with practical knowledge by booking practical legal training.
  2. Comply with data protection law by joining our data protection programme.

Get the GDPR POPIA comparison report

We have drafted (and continually update) a GDPR POPIA Comparison Report comparing the two laws. The report will help you to see the key differences between the two (differences that create extra compliance requirements) and help you to:

  • implement better programmes to protect personal information or data,
  • comply with both laws,
  • fit your POPIA compliance effort in with your global data protection compliance programme,
  • comply with a local data protection law after you’ve complied with the GDPR without redoing much of the things you’ve already done, or
  • avoid having to do things twice.

There are two ways for you to get the report.

  1. You can buy the report for a once-off fee.
  2. Members of our data protection programme get the report as part of their subscription.

The difference between data privacy, data protection and POPI

They are all synonyms and essentially mean the same thing. The United States generally uses the term data privacy, whilst most of the rest of the world uses the term data protection. A few countries (like South Africa) use “protection of personal information” rather than data protection, but they are essentially the same thing.