POPI vs GDPR – IT’S COMPLICATED!
Your business and international clients
– Carmi Martinson
Protection of Personal Information Act (“POPI”)
South Africans across all industries have been holding their breath since the Protection of Personal Information Act (“POPI”) was published on 26 November 2013. Businesses in South Africa are facing the imminence of POPI that will come into effect in its entirety on a date that is still to be determined.POPI’s objectives are to regulate the processing of personal information and data protection in an effort to align South African data protection laws with international standards.
In the meantime, other data protection legislation came to the party and although it is not South African law, South African businesses dealing with the European Union (“EU”) will have to comply as well.
EU – GENERAL DATA PROTECTION REGULATIONS (“GDPR”) WILL AFFECT SA BUSINESSES
The EU GDPR is a new privacy and data protection law which was adopted in Europe in April 2016. The GDPR became effective on 25 May 2017, with a one year grace period for companies to bring their privacy regulations in line with the regulations of the GPDR. It will be enforceable from 25 May 2018.
It is important for companies conducting business in the European Union (“EU”) to understand exactly how they will be affected. Any company processing the personal data of EU residents in connection with offering goods or services, or that monitors the behaviour of those residents, will have to comply with GDPR.
The key requirements of the GDPR can be simplified and summarised as follows: Companies have a responsibility to process personal data lawfully, fairly and in a transparent manner, as well as ensure that the personal data kept is accurate and up to date. The data may only be retained as long as it is necessary for a company to achieve the purpose for which the personal data was collected.
The GDPR aims to safeguard against any privacy and data breaches in a new global environment where business has become intertwined with technology and where most of the data is electronically transmitted.
GDPR SOUNDS A LOT LIKE POPI, SO WHY SHOULD WE BE CONCERNED?
The main concern is that South African companies conducting business with European companies will be seen as high risk from a personal information protection perspective, if compliance with GDPR is lacking.
The GDPR forces businesses to adopt a risk based approach in which personal information is processed and sets out severe consequences for non-compliance.
THE GDPR POPI DEBATE – SAME PRODUCT DIFFERENT FLAVOURS?
The conditions and principles are the same in many ways, save for the definitions and naming conventions. Both necessitate compliance with processing of personal data, the Regulator to be notified of a privacy breach and regulates which data can be sent cross-border.
In essence, if your company complies with GDPR, it will comply with POPI.
Some of the significant differences are the security regulations, for example:
GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and appropriate to risks represented by the processing and the nature of the personal data to be protected.”
POPI: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”
The most significant difference is the penalty for a breach under the GDPR, which can be a fine up to four percent of annual global turnover or €20 million, whichever is greater. These penalties have a potentially debilitating consequence for South African companies.
FAILING TO PREPARE IS PREPARING TO FAIL
In order to ensure that your business is GDPR and POPI compliant, a comprehensive due diligence of the business and the manner in which personal data is processed, should be conducted. This will ensure that appropriate retention policies and security measures can be put in place in order to safeguard unauthorised access, loss, damage, modification and destruction of data.
Our office can assist your business with the necessary policies and compliance with GDPR and POPI.
Life is complicated enough – compliance does not need to be.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice.