PoPI vs. GDPR
What is PoPi
PoPI (Protection of Personal Information Act) is South Africa’s new legislative framework for data protection. It aims to promote the constitutional right to privacy by safeguarding personal information.
It does this by regulating the flow of information, advancing the rights of individuals to access the information and by creating 8 conditions or minimum thresholds. It will require both public and private bodies to comply with the conditions when collecting, processing, storing and sharing personal information.
What is GDPR
The GDPR (General Data Protection Regulations) is Europe’s new framework for data protection laws. It aims to “harmonise” data privacy laws across Europe as well as to give greater protection and rights to individuals within the EU.
It will require companies covered by the GDPR to be more accountable for their handling of people’s personal information by having data protection policies, data protection impact assessments and relevant documents on how data is processed.
The 8 Conditions or Minimum Thresholds of PoPi
Accountability — Companies will be accountable for complying with the measures prescribed in the Act. These measures, such as fines or imprisonment, make the company responsible and liable for the personal information from the moment it is collected to the time of its deletion.
Purpose Specification — Information can only be collected for a legitimate and lawful purpose. Companies may not keep the information for a period longer than that which is required to fulfil their purpose.
Processing Limitation — Companies will only be permitted to collect the minimum information required for their purpose. This condition includes the responsibility to get proper consent from the individual, ensure the individual is aware that their data is being processed and for what purpose.
Further Processing Limitation — This condition limits any secondary use of the information, meaning that the information cannot be used for any other purpose than the purpose for which it was collected initially.
This includes preventing the disclosure or transfer of personal information to third parties.
Information Quality — Companies will have to take practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary.
Openness — Companies will be required to clearly inform the individual that information is being collected on them, the reasons for collecting and what the information will be used for.
Security Safeguards — Companies will have to implement security measure to ensure the security, integrity and confidentiality of the information collected. This will include taking technical measures to prevent loss, damage and unlawful access.
Data Subject Participation — Individuals have the right to ask and be given the details of any information that has been collected on them at no cost.
PoPi principles compared to GDPR
As is clear from the table below PoPI and the GDPR overlap in nearly all areas. This means that compliance with the GDPR should result in near perfect compliance with PoPI.
In what ways is PoPI different to GDPR
Where it applies
The GDPR applies to the personal data of EU data subjects (in short, EU citizens), regardless of jurisdiction or where the data is being processed. PoPi on the other hand is only limited to personal information processed within the borders of South Africa.
Who it applies to
PoPI is more extensive and stringent than the GDPR because it applies to natural and juristic persons. Whilst the GDPR only applies to information about living natural persons, PoPI applies to information collected about companies, body corporates, trusts and other similar type entities.
This means that information about vendors, suppliers or partners will be subject to the requirements and conditions of PoPI.
Roles and definitions
PoPI only defines two key roles which an organization may take — responsible parties (PII controllers) and operators (PII processors). The GDPR understands that these two roles alone are not sufficient definitions and recognises that there are additional distinct roles such as joint responsible parties.
The requirements for PII controllers and PII processors as set out in PoPi are very closely aligned to the various roles set out in the GDPR but at this point in time PoPi does not consider the other relationships, however these may be included in future regulations.
Fines & Penalties
The GDPR’s fine of €20 million or 4% of a company’s global turnover, whichever is higher, is obviously much larger that PoPI’s of R10 million.
PoPI further envisions the possibility of criminal sanctions in the event of non-compliance.
Data protection officers
The GDPR requires the appointment of a Data Protection Officer for certain organizations based on various factors such as size, type or processing ability. PoPI however requires all organizations to have a Data Protection Officer, regardless of any factors.
PoPI states that should a company not have a Data Protection Officer, this role falls to the head of the organization (typically the CEO or executive officer). Should the role be delegated to another member of the organisation it must be done formally and in writing. All Data Protection Officers, under South African law, must be registered with the Information Regulator.
Breach notification requirements
The GDPR set outs very specific breach notification requirements, with a duty to report breaches to supervisory authorities within 72 hours of the discovery of a breach. PoPI does include breach notification requirements, but without a specific timeline other than “as soon as reasonably possible.”
Privacy by design
The GDPR dictates the concept of privacy by design, however it is not mentioned in PoPI at all and remains a best practice option or voluntary approach for those not falling under the GDPR.
Data protection impact assessments
The GDPR requires companies to conduct data protection impact assessments and maintain evidence or documentation of such assessments. PoPI does not specifically require this, however the requirement of security safeguards may be interpreted to include these types of assessments.
Data portability
Individuals in the EU will enjoy the benefits of data portability, meaning they can order that their data is transferred to another controller or service provider. PoPI currently has no such provision, however future regulations may change this.
Conclusion
While there are several key differences in the two pieces of legislation, PoPI can be seen as a stepping stone to GDPR compliance. Organizations not in compliance with PoPI will definitely not meet the requirements of the GDPR.
Compliance with the GDPR carries a few additional requirements, such as conducting privacy impact assessments and building privacy by design into the fabric of the organization and improving records and bodies of evidence to demonstrate compliance, however compliance with the GDPR will result in majority compliance with PoPi.
Find out more from Black Ink Advisory
*All materials have been prepared for general information purposes only to permit you to learn more about the subject, our services and amount to no more than opinion. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.
