Oh, the GDPR POPI debate. The General Data Protection Regulation (or GDPR) has been adopted by the European Parliament in early 2016 and the deadline for compliance was 25 May 2018. South Africa’s data protection law, the Protection of Personal Information Act (POPI or POPIA) was enacted in 2013 but has yet to commence. What does the GDPR mean for the POPI Act? Is the POPI Act going to be amended? Must you comply with both of them? And, if you do, does POPIA create any extra compliance requirements on an organisation in addition to what the GDPR requires? What happens if there is a conflict between them? And if you have been busy with a POPI Act compliance project, what should you be doing differently? If you have been busy with a GDPR compliance project, what should you be doing to also comply with POPIA? Which one should you be doing first?
The GDPR POPI debate: Flavours of the same thing?
The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South Africa enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that the South African Parliament would need to change POPIA significantly. The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the data-centric world we live in.
But for those who have already done much to comply with POPIA or the GDPR, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.
For those of you who have not started, focus on GDPR first and not POPIA. You first need to work out whether you need to comply with the GDPR. If you do, focus on the GDPR first and then later move on to POPI.
POPI must be brought in line with the GDPR
Considering the EU is one of South Africa’s biggest trade partners, South Africa is going to have to bring POPIA more in line with the GDPR. This could be done by Parliament amending POPIA or the Information Regulator interpreting it in line with the GDPR or publishing Regulations that are in line with the GDPR. We think it is unlikely that Parliment will amend POPIA and the POPI Regulations don’t change the position much so it will be up to the Information Regulator to do it over time.
Do their timelines overlap?
The GDPR came into force on 24 May 2016 and the two-year grace period ended on 25 May 2018. The POPIA commencement date will probably be in the first half of 2019. This means that their timelines are not going to overlap. The GDPR deadline is 25 May 2018. The POPIA deadline will be at some point in 2020. Clearly, if you have to comply with both the GDPR and POPIA, you either need to do the GDPR first or do both the GDPR and POPIA at the same time.
You might have to comply with the GDPR
The General Data Protection Regulation applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of personal data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will be required to comply with the GDPR. Find out whether you must comply.
How they are the same
They are the same in many ways. Most of the definitions are close – you have an information officer and a data protection officer – a controller and a responsible party. The conditions or principles are also similar. The problem is that they are slightly different in some very important ways. For example, regards security:
- GDPR says “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”.
- POPIA says “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”.
Which one do you follow?
How they are different
The GDPR does not protect legal entities. It also does not create such serious penalties for failing to protect an account number. It exempts some SMEs from having to keep records. SMEs can find a useful infographic for SMEs on the website of the European Commission. The GDPR also makes it obligatory for some organisations to have a data protection officer, whereas POPIA provides that every organisation has an information officer by default. And the GDPR deals with the right to be forgotten and data portability. The GDPR has a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR but there are no criminal offences in the GDPR.
You must take a global view
There is a good chance that you will need to comply with multiple different data protection laws (like the GDPR, the ePrivacy Regulation, POPIA and the Privacy Shield). This is why it is important that you take a global view and comply with what is common among them.
- Empower yourself with practical knowledge by booking practical legal training.
- Comply with data protection law by joining a Data Protection Programme.
Get a GDPR POPI comparison report
We can provide you with a GDPR POPI comparison report that will help you to see the differences between the two and help you to:
- implement better programmes to protect personal information or data,
- comply with both laws,
- fit your POPIA compliance effort in with your global data protection compliance programme,
- comply with a local data protection law after you’ve complied with the GDPR without redoing much of the things you’ve already done, or
- avoid having to do things twice.