Does GDPR Compliance equal POPIA Compliance?

19 September 2018
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

Do you know the difference between GDPR, POPIA, and dating? We have created a series of nine articles to help you wade through the complexity of at least two of those topics.

In this article, you will learn what the series is about and whether GDPR compliance is equal to POPIA compliance. Let’s get started:

Data breaches happen, and they are scary

Data breaches scare people, and rightly so. In South Africa, we have seen massive data breaches in recent years. In a 2017 breach, 60 million identity numbers were stolen which is more than the entire current South African population size. More recently we learned of a data leak of nearly 1 million clients of an insurance company.

popia-data-breaches-in-south-africa

Breaches like the ones above happen all too often. Hackers steal names, email addresses, and even medical or credit card data. As consumers, and users of the internet, when our personal data falls into the wrong hands, we become more aware of the data organizations hold about us.

It is more than just breaches that prompt people to ask questions about their personal data. We have all received unwanted emails, phone calls, mobile text messages, and more recently WhatsApp messages, from unscrupulous salespeople. Where did they find our information? And do they even have permission to use it?

Governments around the world are responding to privacy concerns by creating new laws. Through these laws, individuals have more control over their own personal data.

The GDPR legislation created by the European Union is possibly the most well-known example. In South Africa, the POPIA (Protection of Personal Information Act) is a similar piece of legislation. Both laws set out the ways in which personal information can be collected, processed and used by organizations.

EPI-USE Labs has implemented data privacy solutions at a number of leading European businesses. We also implemented processes to become GDPR compliant in our own organization, giving us unique insight into the practical complexities of such privacy laws.

Managing your privacy throughout the full data lifecycle

POPIA and GDPR are strikingly similar in key ways. Beyond the fact that they concern the same topic, POPIA was developed somewhat later than GDPR. This allowed South African legislators to borrow key concepts from the European Union legislation.

Both GDPR and POPIA take the perspective that data privacy extends throughout the entire data lifecycle, from acquisition through to destruction.

popia-manage-data-privacy-data-lifecycle

Albeit not exhaustive, this series of articles will compare the two laws in terms of the following topics:

  • Acquisition and data entry: When data is first acquired, there must be a legal basis for processing data, a clear purpose for using the data, and only pertinent data clearly related to the purpose can be gathered.
  • Data maintenance: Once acquired, data is stored and maintained for use. During the time in which the data is retained, both GDPR and POPIA put emphasis on data security and data quality.
  • Data analysis: We use data either directly, or for analysis. Analysis of personal data may result in profiles that inspire action. Data analysis is either performed by hand or through automation. GDPR and POPIA address automated decision-making that affects data subjects.
  • Data use: Direct use of data by companies typically consists of contacting people, establishing context, assessing interest or as inputs to analyses. Both GDPR and POPIA explicitly require that data use is restricted to an intended purpose, with the data acquired on a lawful basis. Data subjects must have full access to their data, a simple way to withdraw consent and recourse via a data security officer.
  • Data transfer: Data transfer by data controllers across borders is prohibited by both GDPR and POPIA, with specific exceptions. In addition, GDPR provides data subjects with the right to transfer their data between controllers (data portability).
  • Data archiving: Data may only be retained as long as legal basis, and/or consent applies. Both GDPR and POPIA allow for data retention beyond these retention periods for the purpose of archiving, but these allowances are balanced with the rights of the data subject to have their data redacted or removed.
  • Data destruction: GDPR and POPIA require irreversible data deletion or anonymization of data when the lawful basis and purpose of the data expires, or when consent is withdrawn.
  • Data breach: Strict breach procedures that must be integrated into company policies and systems are spelled out by GDPR and POPIA.

GDPR and POPIA: The highlights

POPIA was developed after the initial drafts of GDPR became available. This allowed South African legislators to learn from their European counterparts which led to many similarities. In fact, at face value POPIA may seem like a less verbose version of GDPR, making them interchangeable.

Other than the logical differences in scope (i.e. jurisdiction) and structure, there are a number of key differences that make POPIA challenging. Chief among these is the definition of “person” - where GDPR applies to natural persons as data subjects, POPIA applies to both natural and juristic persons. This adds a significant burden to compliance efforts.

Similarly, POPIA requires an information officer for all organizations to be registered with the Information regulator. With GDPR, not all organizations need a data protection officer.

GDPR and POPIA: Similar, but not the same

With the overlap between POPIA and GDPR, preparation for one will contribute to preparation for the other. However, the significant differences between the two laws mean that compliance to one does not equal compliance to the other.

Join us over the next eight weeks as we delve into the laws, and how they will affect your organization.

SAP knowledge sidebar

by Jan van Rensburg

From an SAP point of view, there is little distinction between GDPR and POPIA. If you’ve already prepared your systems for GDPR, you only need to revisit the small deltas as outlined in articles in this series. If you haven’t yet started a GDPR project, you shouldn’t get sidetracked by technology. The first step is to ensure you identify all sensitive personal information. You can only manage what you know.

Most likely your SAP systems don’t live on an island and interface with many other systems and providers, like your vendors, banks and client-facing systems. All these should be considered. Our Privacy Comply Methodology outlines the steps of a typical privacy compliance project. Only during the remediation phase do you implement technology that supports your privacy policies and processes.

Disclaimer: The information published in the blog post is for informational purposes only and should not be construed as legal advice. Please contact your legal adviser for further guidance on this topic.

The next article will be out soon - sign up to get notified!

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: