{"id":1179,"date":"2019-11-21T16:02:30","date_gmt":"2019-11-21T14:02:30","guid":{"rendered":"https:\/\/swifttechlaw.com\/?p=1179"},"modified":"2019-12-17T08:24:58","modified_gmt":"2019-12-17T06:24:58","slug":"walking-the-line-between-popia-and-gdpr","status":"publish","type":"post","link":"https:\/\/swifttechlaw.com\/walking-the-line-between-popia-and-gdpr\/","title":{"rendered":"WALKING THE LINE BETWEEN POPIA AND GDPR"},"content":{"rendered":"
Where did POPIA and GDPR originate from? A lesser-known fact is that the European Union is the birthplace of modern information privacy laws. The right to privacy has existed for centuries. However, E.U countries experienced first-hand how the abuse of personal information can lead to detrimental (sometimes fatal) consequences. This led to the adoption of the European Union Data Protection Directive (EUDPD) in the mid-1990\u2019s in an effort to regulate the use of information.<\/p>\n
Since then, the digital age has presented major challenges to regulation. Technology enables the transfer of vast amounts of information across borders with many benefits. However, it simultaneously enables the citizens from countries governed by privacy legislation to transfer data outside their borders and bypass restrictions. In response, information privacy laws were amended to prohibit the transfer of personal information to countries with lower standards of legal regulation than their own.<\/p>\n
In this context South Africa promulgated the Protection of Personal Information Act (POPIA). It ensures that South Africa is able to process information and conduct business with European countries for commercial benefit. Conversely, POPIA advances the right to privacy contained in the South African Constitution and imposes harsh sanctions for non-compliance.<\/p>\n
In an expanding digital economy, stake holders within South Africa and the E.U increasingly process personal information across both jurisdictions. While South Africa and the E.U both have comprehensive laws in place, there are disparities and similarities between both. This creates a frequently asked, seldom answered question:<\/p>\n
When are South African entities bound by the GDPR and when are European entities bound by POPIA? The answer is not always simple, but a basic understanding can assist.<\/p>\n
POPIA extends to the protection of personal information of juristic persons (i.e. legal entities) and not just individuals, making it more extensive and stringent than the GDPR which only applies to natural persons. It is therefore necessary for South African organisations to ensure that should they engage in business with organisations who are GDPR compliant, that these organisations extend their data protection to juristic persons in order to align with POPIA requirements.<\/p>\n
POPIA is also more stringent in its requirement that an Information Officer should be appointed for all organisations, while the GDPR only requires the appointment of a Data Protection Officer for certain organisations.<\/p>\n
Furthermore, the GDPR has much larger fines than POPIA. The GDPR carries fines of up to \u20ac20 Million or 4% of the global annual turnover, whichever is higher. The maximum penalties under POPIA are a R10 million fine and\/or imprisonment for a period not exceeding 10 years, where the GDPR considers the latter to be a matter for member state law. Read more on POPIA requirements here<\/a>.<\/p>\n While the concept of privacy by design is mandated by the GDPR, it is not mentioned in POPIA at all and remains a best practice option or voluntary approach for POPIA compliant organisations.<\/p>\n The GDPR furthermore provides data subjects with the benefits of data portability where data subjects may request that their data be transferred to another controller or service provider. This right is not extended to data subjects under POPIA.<\/p>\n The GDPR also mandates that data protection impact assessments\u00a0be conducted and that evidence or documentation of such assessments be maintained. Currently there is no corresponding requirement under POPIA.<\/p>\n When it comes to information privacy compliance, there is no one-size-fits-all solution. As a point of departure, if you\u2019re processing personal information (or personal data) regulated by POPIA and GDPR, you must satisfy the requirements of both jurisdictions. The good news is that adapting POPIA or GDPR for dual legal compliance is not onerous or invasive. It however requires expertise in both areas to ensure secure data-related commercial transactions.<\/p>\nWhat GDPR compliant organisations need to know about POPIA<\/strong><\/h4>\n
The best way forward<\/strong><\/h4>\n