Since then, the digital age has presented major challenges to regulation. Technology enables the transfer of vast amounts of information across borders with many benefits. However, it simultaneously enables the citizens from countries governed by privacy legislation to transfer data outside their borders and bypass restrictions. In response, information privacy laws were amended to prohibit the transfer of personal information to countries with lower standards of legal regulation than their own.

In this context South Africa promulgated the Protection of Personal Information Act (POPIA). It ensures that South Africa is able to process information and conduct business with European countries for commercial benefit. Conversely, POPIA advances the right to privacy contained in the South African Constitution and imposes harsh sanctions for non-compliance.

In an expanding digital economy, stake holders within South Africa and the E.U increasingly process personal information across both jurisdictions. While South Africa and the E.U both have comprehensive laws in place, there are disparities and similarities between both. This creates a frequently asked, seldom answered question:

When are South African entities bound by the GDPR and when are European entities bound by POPIA? The answer is not always simple, but a basic understanding can assist.

What POPIA compliant organisations need to know about the GDPR

POPIA extends to the protection of personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent than the GDPR which only applies to natural persons. It is therefore necessary for South African organisations to ensure that should they engage in business with organisations who are GDPR compliant, that these organisations extend their data protection to juristic persons in order to align with POPIA requirements.

POPIA is also more stringent in its requirement that an Information Officer should be appointed for all organisations, while the GDPR only requires the appointment of a Data Protection Officer for certain organisations.

Furthermore, the GDPR has much larger fines than POPIA. The GDPR carries fines of up to €20 Million or 4% of the global annual turnover, whichever is higher. The maximum penalties under POPIA are a R10 million fine and/or imprisonment for a period not exceeding 10 years, where the GDPR considers the latter to be a matter for member state law. Read more on POPIA requirements here.

What GDPR compliant organisations need to know about POPIA

While the concept of privacy by design is mandated by the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for POPIA compliant organisations.

The GDPR furthermore provides data subjects with the benefits of data portability where data subjects may request that their data be transferred to another controller or service provider. This right is not extended to data subjects under POPIA.

The GDPR also mandates that data protection impact assessments be conducted and that evidence or documentation of such assessments be maintained. Currently there is no corresponding requirement under POPIA.

The best way forward

When it comes to information privacy compliance, there is no one-size-fits-all solution. As a point of departure, if you’re processing personal information (or personal data) regulated by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not onerous or invasive. It however requires expertise in both areas to ensure secure data-related commercial transactions.

Contact SwiftTechLaw here to enroll in our Privacy Law Compliance Program for 2020.

The post WALKING THE LINE BETWEEN POPIA AND GDPR appeared first on Swift Tech Law.