The General Data Protection Regulation (or GDPR) has been adopted by the European Parliament in early 2016. South Africa’s data protection law, the Protection of Personal Information Act (POPIA) was enacted in 2013. What does the GDPR mean for the POPI Act? Is the POPI Act going to be amended? Must you comply with both of them? And, if you do, does POPI create any additional compliance requirements on an organisation in addition to what the GDPR requires? What happens if there is a conflict between them? And if you have been busy with a POPI Act compliance project, what should you be doing differently?
The GDPR POPI debate: Flavours of the Same Thing?
The good news is that the GDPR and POPI are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South African enacted POPI, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPI and it would mean that Parliament would need to change POPI significantly. The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the world we live in.
But for those who have already done much to comply with POPI, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.
POPI must be brought in line with the GDPR
Considering the EU is one of South Africa’s biggest trade partners, South Africa is going to have to bring POPI more in line with the GDPR. This could be done by Parliament amending POPI or the Information Regulator passing POPI Regulations or interpreting it in line with the GDPR.
Do their Timelines Overlap?
The GDPR will come into force on 24 May 2016 and the two-year grace period will end on 25 May 2018. The POPI commencement date might be before the end of 2017 but may only be in 2018. This means that their timelines are not going to overlap.
You might have to Comply with the GDPR
The General Data Protection Regulation applies to any data processing activities that are done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. So, if any entity is offering goods and services to EU citizens or monitoring their behaviour they will be required to comply with the GDPR.
How they are the Same
They are the same in many ways. Most of the definitions are close – you have an information officer and a data protection officer – a controller and a responsible party. The conditions or principles are also similar. The problem is that they are slightly different in some very important ways. For example, regards security:
- GDPR says “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”.
- POPI says “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”.
Which one do you follow?
How they are Different
The GDPR does not protect legal entities. It also does not create such serious penalties for failing to protect an account number. It exempts SMEs. And it deals with the right to be forgotten and data portability. The GDPR has a definition of genetic data and requires data controllers to do data protection impact assessments. The fines are much bigger in the GDPR.
You must take a Global View
There is a good chance that you will need to comply with multiple different data protection laws (like POPI, the GDPR, and the Privacy Shield). This is why it is important that you take a global view and comply with what is common among them. To find out more, attend one of our POPI Act workshops.
Get a GDPR POPI Comparison Report
We can provide you with a report that will help you to see the differences between the two and help you to:
- implement better programmes to protect personal information or data,
- comply with both laws,
- fit your POPI compliance effort in with the global data protection compliance programme,
- avoid having to do things twice.