The deadline to be POPIA (Protection of Personal Information Act) compliant is fast approaching, and while it has roots in and parallels to GDPR (General Data Protection Regulation), being compliant in one doesn’t mean automatic compliance in the other.
The POPI Act used the EU legislation as guidance for best practice and borrowed some key concepts to create its own law for South Africa, forming likenesses between the two. However, there are still prominent differences to identify.
Our security experts map out the key differences and similarities between the two legal requirements to keep you fine-free and clear on your compliance posture for both.
What is POPIA?
The POPI Act for South Africa gives constitutional rights to privacy with data processing regulations in place as well as clear remedies to protect personal information. The POPIA is made of eight key principles:
| POPI Principle | Overview |
|---|---|
| Accountability | The responsible party must ensure that the principles are adhered to, including appointing an Information Officer. |
| Processing Limitation | There must be limits to the processing of information: processing must be lawful and not excessive; consented, direct collection from the data subject; for the purpose to fulfill a contract. |
| Purpose Specification | Personal information must be collected for a specific, defined and lawful purpose; retention must not be longer than required except in the case of historical, statistical or research purposes; PII must be destroyed when no longer needed. |
| Further Process Limitation | Any further processing must be compatible with the original purpose, if not, further consent is required. |
| Information Quality | The responsible party must ensure that personal information is complete, accurate and not misleading. |
| Openness | A notification must be given to the Information Protection Regulator before the information is processed; the subject must be notified that data is being collected about them and for what purpose. |
| Security Safeguards | The responsible party must: ensure that the integrity of the data is maintained; identify foreseeable risks; establish and maintain safeguards; notify on security compromises. |
| Data Subject Participation | The subject has the right to ask, be given and correct the details of any information on them that the responsible party might have, at no cost. |
What is GDPR?
GDPR was created to ‘harmonize’ the various data privacy laws across the EU and bring them up to date, giving greater protection and rights to individuals in the member states. These seven principles make up GDPR:
| GDPR Principle | Overview |
|---|---|
| Lawfulness, fairness and transparency | Choosing a lawful basis for the collection; fair collection, processing and storing of data; complete transparency on how data is being used. |
| Purpose Limitation | Complete clarity on the purpose for collection and processing of data; used only in the specified purpose; if data is used for additional reasons, further consent is required. |
| Data Minimisation | Identification and collection of the minimal amount of data required for its purpose. |
| Accuracy | Personal data must be accurate, fit for purpose and up to date. |
| Storage Limitation | Data must be deleted or destroyed once used for its designated purpose, with the exception of use for historical, statistical or research purposes. |
| Integrity and Confidentiality | All appropriate measures must be taken to secure the data for internal and external risks. |
| Accountability | Responsibility for the data held, adherence to other principles and ability to demonstrate compliance. |
GDPR vs POPIA: Key Differences
The major differences between GDPR and the POPI Act are in their definitions and concepts, which may sound like small details but, in fact, can have large, knock-on effects if not recognised.
| GDPR | POPIA | |
|---|---|---|
| Definition | ||
| Data Subject | Natural person only. | Natural or juristic person. |
| Territorial Scope | Applies to any business with consumers in the EU. | Applies to responsible parties domiciled or using means in South Africa. |
| Children | No specified age; a natural person under age of 16, with an option to lower age to 13. | Natural person under the age of 18. |
| Pseudonymization | Processing personal data in such a way that it cannot be attributed to a specific person without additional information. | No reference to pseudonymization. |
| Portability | Definition and the right to data portability is explicit. | No reference to portability. |
| Concept | ||
| Rights to erasure | Specific exceptions and response timeframes to deletion requests are detailed. | No specific exceptions or response timeframes to requests, but a template form is provided for deletion requests. |
| Data Protection Officers | DPO is not obligatory for all businesses, but recognition of their expert knowledge, independence and resources needed are specified. | Information Officers are required for all businesses, however limited scope is specified in POPIA with many referrals to PAIA for the role. |
| Enforcement | Fines are a maximum of 4% of global annual turnover or €20 million, whichever is higher. | Fines are limited to ZAR10mil, while imprisonment and sanctions are possible. |
GDPR vs POPIA: Similarities
While some terminology and scope differ between the laws, they ultimately have the same goal: recognition and enforcement of data privacy throughout its entire lifecycle, starting from the collection and ending in deletion or destruction.
Roles and Processing
Both legislations state the requirement for data controllers and processors (GDPR) or responsible parties and operators (POPIA). In both cases, the former roles are appointed to determine the purpose and means for data while the latter roles are needed to process the data. Contracts between the roles are also required as well as impact assessments on the processing itself.
Penalties and Fines
The monetary amounts and available penalties differ, however in both cases, the sums are not inconsequential to a business’s bottom line serving as motivators for enforcement.
Conclusion
There are many key differences in POPIA to take note of that ultimately sees more individuals and organizations fall under its scope than GDPR. However, POPIA compliance and GDPR compliance shouldn’t be viewed as the end goal.
At their core, personal data laws are in place to prevent data breaches and provide clarity, but all businesses should view compliance standards as their base level of security, the first serious step in investment for a greater security posture as cybercriminals continue to get more creative and determined.
ENHALO can help you navigate through GDPR and POPIA – help you with your compliance and ensure you have the relevant controls in place.
