I am GDPR compliant. Now why all the rigmarole in ensuring that I need to be POPI compliant? Surely, they are comparatively one and the same? Well, not quite.
The General Data Protection Regulations (hereafter GDPR) are regulations which were adopted by the European Union and became effective in May 2018. They regulate how data should be protected within countries that form part of the European Union. Important to note is that the GDPR extends much more rights and protection to individuals and their data than previous data privacy laws.
The Protection of Personal Information Act came into effect fully in 2021 in South Africa. Often dubbed as the GDPR equivalent in South Africa, it governs how data should be processed both within the borders and outside the borders of South Africa. POPI extends rights and protections to both individuals and juristic entities operating within South Africa and is the first of its kind in terms of data protection laws within South Africa.
National or local data privacy laws, including POPI and the GDPR, are far too broad in scope to fully encapsulate and compare in this overview. However, in our discussion herein, we will highlight the main notable differences between the two.
1. Date of Commencement
As a point of departure, one of the first differences between the General Data Protection Regulation (GDPR) and the Protection of Personal Information Act No.04 of 2013 (POPI) lies in the date of commencement. The GDPR came into force on 24 May 2016, with an extended grace period of two years. The deadline to be GDPR compliant was 25 May 2018. The POPI Act was gazetted in 2013, however, the sections containing the obligations and consequences of POPI, sections 2-38,55-109,111,114(1), (2) and (3) only commenced on the 1 July 2020. There was a 1-year transitional period in section 114(1), which means that all organizations needed to be POPI compliant by 1 July 2021.
2. Application and Scope
In comparison to the GDPR, the POPI Act starts out by outlining the application and scope of protection of personal information. In Section 1 of POPI “personal information” is defined as information “relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” From this definition we see that the POPI Act extends its protection on collected personal information not only to individuals but to juristic entities ie. companies and corporations’ as well. When looking at the GDPR, we see that in the GDPR, protection is only extended to individuals.
The POPI Act further clarifies what types of personal information is protected in terms of Section 1:”
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.’’
In comparison, it’s counterpart, the GPDR uses the term “personal data” and in Article 4 defines it as: “any information relating to an identified or identifiable natural personal (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The Act further outlines the application and scope of POPI by introducing a role-player named a “responsible party”. A responsible party is a public or private body who determines the means and purpose of processing the personal information. POPI will be applicable where the Responsible Party is domiciled in the Republic; or not domiciled in the Republic but makes use of automated or non-automated means in the Republic. The EU’s pre- GDPR Directive-1995, on the other hand provides that the GDPR shall also apply when the data processed belongs to EU citizens, and when EU member state law applies due to international agreements.
3. Consent and Justification
Under POPI, processing is justified in the following instances:
a) when consent is obtained by the data subject or a competent person when the data subject is a child;
b) where processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
c) Where processing is necessary to comply with an obligation imposed by law on the responsible party;
d) Where processing is necessary for the proper performance of a public law duty by a public body; or
e) Where processing protects a legitimate interest of the data subject or a third party to whom the information is supplied.
This might be interpreted to cover the data subject’s “vital interest”, a term commonly found in the GDPR, but this is unclear.
The GDPR created a “legitimate interest” test which has been a point of contention. The legitimate interest test is a three-pronged test, which is derived from Article 6(1)(f). The test looks at purpose, necessity and balance and tries to balance these factors when determining what legitimate interest means. In terms of POPI, the Information Regulator ultimately has the discretion to determine whether a legitimate interest exists as a lawful basis for processing personal information. Seeing as the Information Regulator has not yet provided much direction in this regard, this is still uncertain. It is therefore advisable to first attempt to comply with the provisions of POPI, specifically those relating to consent and data subject notification before one considers relying on this as a defence for being able to process information.
4. Definitions and Terminology
Another notable difference between the GDPR and POPI is the use of key definitions and terminology. Notwithstanding the fact that many of the definitions are analogous- POPI makes use of the terms Information Officer; Responsible Party; and Operator, whereas the GDPR utilizes terms such as Data Protection Officer; Data Controller and Data Processor. The appointment of an Information Officer is more of a formality than an obligation which is placed on every Company in South Africa. This is because according to the Information Regulator’s guidelines as well as the Act, the most senior person in the organization automatically steps into this role and is thus liable for all information processing activities undertaken by that organization. The GDPR makes it obligatory on only some organisations to have a Data Protection Officer.
Furthermore, POPI accentuates the importance of the protection of Special personal information, which includes race; ethnic origin; trade union membership; health status; biometric information and/ or criminal behaviour, with its counterpart labelling this as Sensitive Personal Information. The GDPR defines special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation.
The development of privacy programs is another difference between the GDPR and POPIA. The GDPR advocates for privacy by design rather than privacy as a function. Privacy by design means ensuring data protection through technology design, as opposed to putting various policies in place. POPI recommends best practice options and provides objectives which one should meet for privacy and security, which makes POPI’s privacy requirements slightly less stringent. POPI thus provides us with a framework and guidelines – from here a lot of discretion lies within the hands of the responsible party to determine how they will meet these objectives and align their processing activities within the framework provided.
According to POPI, children who are Data Subjects are given special care when processing their information. As mentioned above, children’s information is regarded as special personal information and thus requires further and specialized levels of protection. Section 1 of POPI defines a child as under 18 years of age, and “who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself”. Section 35 further outlines requirements regarding children, and circumstances under which their personal data can be processed. Children’s information can only be processed in the following circumstances:
a) with the consent of “a competent person”;
b) if it serves a public interest;
c) when necessary to comply with an obligation of international public law, and other conditions.
Important to note here is that the Act does provide justifications to process without consent, however as the Act and application thereof is new, while awaiting guidance from the courts and Information Regulator, it is advisable to rather obtain consent first before attempting to rely on these justifications.
In terms of Article 6(1) of the GDPR, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Individual EU members are allowed to lower the age for what constitutes a child to 13.
7. 7 principles v 8 main conditions
The GDPR sets out seven key principles to achieve compliance: Lawfulness, Fairness and Transparency; Purpose limitation; Data minimisation; Accuracy; Storage Limitation; Integrity and confidentiality; and Accountability.
The POPI Act outlines 8 main conditions for lawful processing which are Accountability; Processing Limitation; Purpose Specification; Further Processing Limitation; Information Quality; Openness; Security Safeguards; and Data Subject Participation.
It is clear that there are some patent differences between POPI and the GDPR. With our fundamental constitutional right to privacy and recent data privacy laws in the spotlight, indubitably, both POPI and the GDPR have espoused these rights and intricately put measures in place to ensure their protection. For those who are GDPR compliant, they can consider themselves somewhat POPIA compliant already and would not need to start again but certainly some tweaking will be required to ensure that all the objectives of the POPI act are met!
For more information on the above topic, please contact the LabourNet Helpdesk at
0861 LABNET (0861 522638).
Not yet a LabourNet client, but would like to know more about our service and products?
Email us: firstname.lastname@example.org