POPIA – South Africa’s new data protection law, in brief
The EU's General Data Protection Regulation (GDPR) is no longer only just a European data privacy law, it has also become a global data privacy standard – and the speed with which this standard is spreading around the world is increasing, ensuring a higher level of protection of end-user privacy on the Internet.
South Africa's POPIA is the latest major data privacy law in the world to be modelled closely after the EU's GDPR (and the ePrivacy Directive) – empowering its citizens with enforceable rights over their personal information, establishing eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creating a broad definition of personal information for comprehensive end-user protection, as well as forming the Information Regulator (SAIR) as lead enforcer and supervisor of the law.
POPIA quick breakdown
- POPIA took effect on July 1, 2020.
- POPIA enforcement began on July 1, 2021.
- POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
- Fines for non-compliance with POPIA can range up to 10 million ZAR (South African rands).
- Transfers of personal information outside of South Africa is prohibited by POPIA (with exceptions).
- POPIA creates nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.
- POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is central. It is up to websites, companies and organizations ("responsible parties") to prove that their processing is lawful, e.g. that correct consents have been obtained from users.
- POPIA defines consent as any voluntary, specific and informed expression of will.
- POPIA defines processing as collection, receipt, recording, organization, storage, merging, linking, and more.
- POPIA defines personal information broadly as any information relating to not only a living person, but also a company or legal entity.
- POPIA allows companies and organizations to process data if it's deemed in the user's "legitimate interest", creating a point of ambiguity for possible abuse and enforcement difficulties.
POPIA vs GDPR
There are key differences between POPIA and GDPR, in particular –
- POPIA also protects companies and organizations as juristic persons, where the GDPR only protects living individuals.
- Unlike the GDPR, which applies to the processing of personal data from inside the EU regardless of where the controller/processor is located, POPIA only applies to companies or organizations who are located within South Africa (with the exception of entities that make use of automated processing means in South Africa, e.g. adtech and social media companies).
- Where the GDPR clearly defines a data processor (as a natural or legal person processing personal data on behalf of the data controller), POPIA only talks about the responsible party, i.e. no "joint controller"-responsibility as we know it from the EU.
- POPIA requires all companies and organizations to appoint an Information Officer (automatically assigned to the CEO), who's role and responsibilities differ in important areas from the GDPR's Data Protection Officer. In addition, POPIA also requires companies and organizations to appoint a Deputy Information Officer.
- While both POPIA and GDPR split the definition of data into personal information and special personal information (or sensitive data in the GDPR), POPIA also assigns criminal offenses to the latter.
Original article provided by CookieBot.comCookieBot
Is your website POPI compliant?
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.