In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Russell Nel, CIPP/US, CIPT, compares South Africa’s Protection of Personal Information Act with the GDPR.
Admittedly, South Africa was a bit late to adopt a holistic data protection law. Though drafts of the Protection of Personal Information Act were available as early as 2005, it was not until November 2013 that the President of South Africa signed this law into being. This was after a rigorous legislative process and much consideration of existing global privacy laws.
At the time that POPIA was busy being finalized, initial versions of the GDPR were already in circulation. Thus, South Africa had the benefit of including some of the GDPR concepts into its own data protection law, resulting in a world-class piece of legislation.
With the passing of the GDPR in May 2016, several changes were introduced from the early drafts, and so the South African law differs from the GDPR in some key ways that South African companies need to be cognizant of to comply with the GDPR.
Jurisdictional scope
While the core principles of data protection and privacy are common to both laws, many of the aspects of implementation are different. For one, the GDPR aims to set a minimum standard for all members of the European Union, where POPIA is limited only to the jurisdiction of South Africa. While POPIA applies to personal information processed within the borders of South Africa, the GDPR applies to the personal data of all European Union data subjects, regardless of jurisdiction. This may come as a challenge and even a bit of a shock to South African based organizations, many of whom are still grappling with POPIA and what it means to them, and very few of whom (if any) are ready to move up the privacy maturity scale in the way that the GDPR demands.
Applicability
Another key difference in the laws is that POPIA extends to the personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent in this area. This means that any information collected about a company, body corporate, trust or other type of organization would enjoy the same protection as personal information about an individual. Consequently, South African organizations need to ensure that they are prepared to comply with POPIA for this information as well – information about vendors, suppliers, or other partners. Some of the leading South African companies have actually included this in contractual agreements with organizations abroad, in order to ensure that the definition of personal information is extended to include juristic persons and thus align with POPIA requirements.
Roles and definitions
POPIA only considers two key roles which an organization may take – those being responsible parties (i.e., PII controllers) and operators (i.e., PII processors). The GDPR has realized some of the nuances of these existing roles and now also recognizes additional distinct roles and their requirements: considering joint responsible parties, third parties and recipients in more detail. The requirements for PII controllers and PII processors are very closely aligned between the two pieces of legislation. POPIA does not consider the other relationships at this stage, but these may be included in future regulations, as issued by the South African Information Regulator from time to time.
Fines and penalties
The GDPR typically has much larger fines than POPIA (20M euros as opposed to ZAR10m) and allows for these fines to be levied as a percentage of global annual revenue for larger organizations who may easily afford (or even budget for) these fines.
POPIA provides imprisonment for individuals who commit criminal acts with personal information, where the GDPR considers this to be a matter for member state law.
Data protection officers
The GDPR now requires the appointment of a Data Protection Officer in terms of [Article 37] for certain organizations. POPIA has this requirement as well, but there is no distinction in size, type or processing ability of organizations — ALL organizations are required to have a Data Protection Officer. In the absence of an appointed Data Protection Officer, under POPIA this falls to the head of an organization (typically the chief executive or executive officer of private and public (government) bodies respectively). This responsibility may be delegated to another member (or members) of the organization. Delegation of duties and authority to a Data Protection Officer must be done formally and in writing, and all Data Protection Officers, under South African law, must be registered with the Information Regulator.
Breach notification requirements
In terms of [Article 33] of the GDPR, breach notification requirements are very specific, with a duty to report breaches to supervisory authorities within 72 hours of the discovery of a breach. POPIA does include breach notification requirements, but without a specific timeline beyond “as soon as reasonably possible.”
Privacy by design
While the concept of privacy by design is mandated by [Article 25] of the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for those implementing privacy programs in South Africa.
Data protection impact assessments
The GDPR also mandates the obligation for conducting data protection impact assessments [Article 35] and maintaining evidence or documentation of such assessments. POPIA has no specific requirement on this, although there is the possibility could be interpreted as a requirement for assessing risks when considering security safeguards.
Data portability
Upon full implementation of the GDPR, data subjects in the EU will enjoy the benefits of data portability [Article 20] where they can order that their data is transferred to another controller or service provider. POPIA is silent on this matter, though this may be a topic for consideration by the Information Regulator once it is fully operational.
Conclusion
While there are several key differences in the two pieces of legislation, POPIA could be seen as a stepping stone to GDPR compliance. Indeed, organizations not in compliance with POPIA will definitely not meet the requirements of the GDPR.
For organizations that have already taken firm steps to comply with POPIA and general data protection principles, compliance with the GDPR will not be such a great leap.
Regardless of the progress made on POPIA, compliance with the GDPR will carry a few additional requirements, such as conducting privacy impact assessments and building privacy by design into the fabric of the organization and improving records and bodies of evidence to demonstrate compliance will stand all organizations in good stead.
photo credit: MPD01605 EU Flagga via photopin (license)
South African flag photo credit: @flowcomm via Flickr