Close this search box.

SA’s POPI Act, the EU’s GDPR and your business

South Africa’s Protection of Personal Information Act and the European Union’s General Data Protection Regulation have widespread implications for businesses. Are you prepared?

Data privacy and data security are firmly in the spotlight after headline-making incidents around the globe in 2018..

On June 14, Liberty Holdings was targeted by cybercriminals, who breached the group’s IT systems. The hackers claimed to have stolen 40 terabytes of data.

On July 11, Facebook was fined 500 000 pounds (about R9-million) in connection with the Cambridge Analytica scandal. The social media giant failed to protect its users’ information, according to Britain’s data watchdog.

In an increasingly digital environment, cybercrime is an evolving threat. Across the world, governments, economic associations and political groups have implemented legal structures to regulate the information-powered international ecosystem.

If you’re a South African business owner, then you need to understand the directives of SA’s Protection of Personal Information Act as well as the European Union’s General Data Protection Regulation.

What is South Africa’s Protection of Personal Information Act?

The POPI Act (also known as POPIA) was signed into law by President Jacob Zuma on November 19, 2013, and published in the Government Gazette a week later on November 26, 2013.

The legislation is designed to ensure that private, public and governmental organisations behave responsibly when managing the personal information of both “natural persons” (individuals) and “legally recognised entities” (like companies).

The key purposes of the POPI Act (as decreed) are:

  • To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party.
  • To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information.
  • To provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.
  • To establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfill the rights protected by this Act.

When will the POPI Act be implemented?

Certain sections of the POPI Act became effective on April 11, 2014, and address the appointment of South Africa’s Information Regulator.

The government has yet to announce the commencement date for the remaining provisions of the law, but is expected to do so later in 2018.

There will be a grace period of 12 months from the date of commencement for organisations to comply with the POPI Act.

You can find the full text of the Protection of Personal Information Act on the Justice Department’s website.

You can also download our infographic – 10 Things To Know About South Africa’s Protection of Personal Information Act – to print and keep, absolutely free.

Who is bound by the POPI Act?

All organisations that collect, process, store or share personal information must abide by the rules and regulations of the Act.

Comprehensive data privacy and data security initiatives will need to be implemented so that the technology, systems and processes used for information-gathering and information management comply with the law.

Broadly speaking, the POPI Act sets certain conditions for the acquisition, storage and management of personal details so that individuals (and legally recognised entities) know what is being done with their data. The law also defines the obligations and responsibilities related to information management, including quality control and security.

How is compliance achieved?

Accountability and transparency are core elements of the POPI Act. When the law comes into full force, organisations will have a brief window of opportunity to sort out their affairs. After that, non-compliance is likely to result in a financial penalty and/or imprisonment.

Conducting an in-depth evaluation of your business processes will help you to identify potential problem areas:

  • Audit your entire operation to determine when, where and how personal information is handled.
  • Formulate new protocols and implement checks and balances to ensure compliance.
  • Educate your staff to create an organisation-wide culture of responsibility.

South Africa’s Protection of Personal Information Act is expected to have a dramatic impact on the local business landscape, much like the General Data Protection Regulation has done in the European Union.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR, or EU Regulation 2016/679) is a sweeping data-protection law that was approved by the European Union in April 2016.

The legislation addresses the privacy rights of internet users and imposes limitations on the processing of their online data, including email addresses and social media posts.

When will the GDPR be implemented?

The GDPR is already in effect.

Full enforcement began on May 25, 2018.

Did you receive a flood of “Privacy Policy” notices in your inbox around that time? You weren’t the only one. As the two-year GDPR grace period drew to an end, there was a flurry of compliance activity across the world.

Which countries are affected by the GDPR?

Although it was implemented by the EU, and is primarily concerned with data regulation in European countries, the GDPR has global implications.

Because the internet has revolutionised the way the world does business, it’s possible for a South African company to have customers living in France or Italy. It’s also possible for a South African company to have European customers residing within SA’s borders. In both cases, the GDPR applies, because EU citizens are involved.

If you provide products or services to EU citizens, and process their data in order to do so, then you need to adhere to the GDPR – no matter where you are based.

What happens if businesses don’t comply with the GDPR?

From official reprimands to financial penalties, the consequences of non-compliance are severe. Potential administrative fines can reach 20 million euros. The effects of the European Union’s General Data Protection Regulation are already being felt. The full impact of South Africa’s Protection of Personal Information Act has yet to be seen. Preparation is your best course of action.

share this article