How POPIA maps GDPR

The deadline to be POPIA (Protection of Personal Information Act) compliant is fast approaching, and while it has roots in and parallels to GDPR (General Data Protection Regulation), being compliant in one doesn’t mean automatic compliance in the other. 

The POPI Act used the EU legislation as guidance for best practice and borrowed some key concepts to create its own law for South Africa, forming likenesses between the two. However, there are still prominent differences to identify. 

Our security experts map out the key differences and similarities between the two legal requirements to keep you fine-free and clear on your compliance posture for both.

What is POPIA?

The POPI Act for South Africa gives constitutional rights to privacy with data processing regulations in place as well as clear remedies to protect personal information. The POPIA is made of eight key principles:

POPI Principle Overview
Accountability The responsible party must ensure that the principles are adhered to, including appointing an Information Officer.
Processing Limitation There must be limits to the processing of information: processing must be lawful and not excessive; consented, direct collection from the data subject; for the purpose to fulfill a contract.
Purpose Specification Personal information must be collected for a specific, defined and lawful purpose; retention must not be longer than required except in the case of historical, statistical or research purposes; PII must be destroyed when no longer needed.
Further Process Limitation Any further processing must be compatible with the original purpose, if not, further consent is required.
Information Quality The responsible party must ensure that personal information is complete, accurate and not misleading.
Openness A notification must be given to the Information Protection Regulator before the information is processed; the subject must be notified that data is being collected about them and for what purpose.
Security Safeguards The responsible party must: ensure that the integrity of the data is maintained; identify foreseeable risks; establish and maintain safeguards; notify on security compromises.
Data Subject Participation The subject has the right to ask, be given and correct the details of any information on them that the responsible party might have, at no cost.

What is GDPR?

GDPR was created to ‘harmonize’ the various data privacy laws across the EU and bring them up to date, giving greater protection and rights to individuals in the member states. These seven principles make up GDPR:

GDPR Principle Overview
Lawfulness, fairness and transparency Choosing a lawful basis for the collection; fair collection, processing and storing of data; complete transparency on how data is being used.
Purpose Limitation Complete clarity on the purpose for collection and processing of data; used only in the specified purpose; if data is used for additional reasons, further consent is required.
Data Minimisation Identification and collection of the minimal amount of data required for its purpose.
Accuracy Personal data must be accurate, fit for purpose and up to date.
Storage Limitation Data must be deleted or destroyed once used for its designated purpose, with the exception of use for historical, statistical or research purposes.
Integrity and Confidentiality All appropriate measures must be taken to secure the data for internal and external risks.
Accountability Responsibility for the data held, adherence to other principles and ability to demonstrate compliance.

GDPR vs POPIA: Key Differences

The major differences between GDPR and the POPI Act are in their definitions and concepts, which may sound like small details but, in fact, can have large, knock-on effects if not recognised.


GDPR POPIA
Definition    
Data Subject Natural person only. Natural or juristic person.
Territorial Scope Applies to any business with consumers in the EU. Applies to responsible parties domiciled or using means in South Africa. 
Children No specified age; a natural person under age of 16, with an option to lower age to 13. Natural person under the age of 18.
Pseudonymization Processing personal data in such a way that it cannot be attributed to a specific person without additional information. No reference to pseudonymization.
Portability Definition and the right to data portability is explicit. No reference to portability.
Concept    
Rights to erasure Specific exceptions and response timeframes to deletion requests are detailed. No specific exceptions or response timeframes to requests, but a template form is provided for deletion requests.
Data Protection Officers DPO is not obligatory for all businesses, but recognition of their expert knowledge, independence and resources needed are specified. Information Officers are required for all businesses, however limited scope is specified in POPIA with many referrals to PAIA for the role.
Enforcement Fines are a maximum of 4% of global annual turnover or €20 million, whichever is higher. Fines are limited to ZAR10mil, while imprisonment and sanctions are possible.

GDPR vs POPIA: Similarities

While some terminology and scope differ between the laws, they ultimately have the same goal: recognition and enforcement of data privacy throughout its entire lifecycle, starting from the collection and ending in deletion or destruction.

Roles and Processing

Both legislations state the requirement for data controllers and processors (GDPR) or responsible parties and operators (POPIA). In both cases, the former roles are appointed to determine the purpose and means for data while the latter roles are needed to process the data. Contracts between the roles are also required as well as impact assessments on the processing itself. 

Penalties and Fines

The monetary amounts and available penalties differ, however in both cases, the sums are not inconsequential to a business’s bottom line serving as motivators for enforcement. 

Conclusion

There are many key differences in POPIA to take note of that ultimately sees more individuals and organizations fall under its scope than GDPR. However, POPIA compliance and GDPR compliance shouldn’t be viewed as the end goal.

At their core, personal data laws are in place to prevent data breaches and provide clarity, but all businesses should view compliance standards as their base level of security, the first serious step in investment for a greater security posture as cybercriminals continue to get more creative and determined. 

ENHALO can help you navigate through GDPR and POPIA – help you with your compliance and ensure you have the relevant controls in place.

Gerhard Conradie Co-Founder and Global Head of Solutions Architecture at Enhalo
Gerhard Conradie

Gerhard, Co-Founder and Global Head of Solutions Architecture, sees quality staff as the most important asset to any business, and believes that giving them the space to grow as much as they are willing and able to, motivates them to grow Enhalo as well.

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.

Insights

360 Security
Must Know Cyber
Security Services

Resources

WEBINARS
MEDIA
SON OF A BREACH
CASE STUDIES
USE CASES

Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: