The EU General Data Protection Regulation (GDPR) is widely seen as the gold standard for data protection worldwide.
While EU law has clearly inspired South Africa’s Protection of Personal Information Act (POPIA), there are some crucial differences between the two laws that any business operating in South Africa should understand.
This article will look at three important ways in which the POPIA arguably exceeds the GDPR.
1. The POPIA Covers Data About Corporations — Not Just People
The first major difference between the GDPR and the POPIA is that the POPIA’s definition of “personal information” is significantly broader than the GDPR’s for one very important reason.
The GDPR defines “personal data” as “information relating to an identified or identifiable natural person…” (a “data subject”).
The POPIA similarly defines “personal information” as “…information relating to an identifiable, living natural person…” But the South African law then takes the definition further, adding that personal information can also relate to “an identifiable, existing juristic person…”
A “juristic person” is another term for “legal person”—a non-living legal entity with enforceable rights, such as a corporation, public body, or any other organisation that can enter into contracts, own property, or take a case to court.
This means that businesses operating in South Africa may need to protect data about business partners, vendors, etc., in the same manner that they would protect data about their customers.
And that doesn’t only mean data about the employees of those business entities (who are “natural persons”) but also data about the business itself (the “juristic person”).
It’s worth noting that the EU’s upcoming ePrivacy Regulation takes a similar approach, applying some provisions both to “natural” and “legal” persons—but that law will be less comprehensive in its scope and application than the POPIA.
2. The POPIA’s Rules on Children’s Data Are Stricter
Another area in which the POPIA differs from the GDPR is its treatment of children’s data.
The GDPR’s rules on children are relatively strict, but the law focuses on controllers offering “information society services” (online services) directly to children. Such controllers must obtain parental consent before processing a child’s personal data.
Recital 38 of the GDPR also highlights the “specific protection” owed to children when processing their personal data, particularly for marketing or profiling purposes.
In contrast, the POPIA’s rules on processing childrens’ data apply regardless of the context in which you are processing it. The law makes no distinction between different processing purposes.
In fact, processing childrens’ data is forbidden altogether unless you can identify one of the five distinct legal bases set out at Section 35 of the POPIA, the most widely applicable of which is where personal data “has deliberately been made public by the child with the consent of a competent person.”
There’s a lot to unpack in this provision, including when personal information can be said to have been “deliberately made public” by a child, and how to verify that a “competent person” has provided consent.
However, it is also possible to apply directly to South Africa’s Information Regulator for authorisation to process children’s data.
3. Every POPIA-Covered Company Must Appoint an Executive-Level ‘Information Officer’
The GDPR has led to many companies appointing a Data Protection Officer (DPO) to oversee data protection compliance. But many private companies that do not routinely monitor data subjects or process “special category data” are not required to appoint a DPO.
Under the POPIA, however, every business falling under the law’s scope must appoint an Information Officer, and there are some strict conditions for this appointment.
Guidance from the Information Regulator clarified certain aspects of the POPIA’s provisions on Information Officers—but the guidance has also caused some confusion among POPIA-covered businesses.
According to a guidance note issued by the Information Regulator, an Information Officer:
- Must be an executive-level employee
- Must report directly to the highest level of management
- Must be based in South Africa
- Must be registered with the Information Regulator
By requiring that an Information Officer is a senior member of staff, based in South Africa, the aim appears to be to ensure that Information Officers can be held legally liable for a company’s POPIA violations.
This contrasts with the GDPR’s approach to DPOs, who are supposed to act as independent advisers—that do not have to be established in the EU or work for the organisation concerned.
However, it is unclear how a company not established in South Africa, but that is still subject to the POPIA, would fulfil the South African law’s requirements.
Learn More About POPIA Compliance At PrivSec South Africa: 18 January 2022
Want to learn more about all aspects of compliance with the POPIA and other South African privacy and security laws?
PrivSec South Africa is a one-day livestream experience welcoming senior decision-makers engaged in business in South Africa, seeking the latest advice, guidance and information from subject matter experts, industry leaders and academics.
Focusing on both practical and ethical issues attendees can expect presentations, panel discussions and debates, delivering unique insights and actionable content to ensure they leave with valuable strategies and roadmaps.