Do you know the difference between GDPR, POPIA, and dating? We have created a series of nine articles to help you wade through the complexity of at least two of those topics.
In this article, you will learn what the series is about and whether GDPR compliance is equal to POPIA compliance. Let’s get started:
Data breaches scare people, and rightly so. In South Africa, we have seen massive data breaches in recent years. In a 2017 breach, 60 million identity numbers were stolen which is more than the entire current South African population size. More recently we learned of a data leak of nearly 1 million clients of an insurance company.
Breaches like the ones above happen all too often. Hackers steal names, email addresses, and even medical or credit card data. As consumers, and users of the internet, when our personal data falls into the wrong hands, we become more aware of the data organizations hold about us.
It is more than just breaches that prompt people to ask questions about their personal data. We have all received unwanted emails, phone calls, mobile text messages, and more recently WhatsApp messages, from unscrupulous salespeople. Where did they find our information? And do they even have permission to use it?
Governments around the world are responding to privacy concerns by creating new laws. Through these laws, individuals have more control over their own personal data.
The GDPR legislation created by the European Union is possibly the most well-known example. In South Africa, the POPIA (Protection of Personal Information Act) is a similar piece of legislation. Both laws set out the ways in which personal information can be collected, processed and used by organizations.
EPI-USE Labs has implemented data privacy solutions at a number of leading European businesses. We also implemented processes to become GDPR compliant in our own organization, giving us unique insight into the practical complexities of such privacy laws.
POPIA and GDPR are strikingly similar in key ways. Beyond the fact that they concern the same topic, POPIA was developed somewhat later than GDPR. This allowed South African legislators to borrow key concepts from the European Union legislation.
Both GDPR and POPIA take the perspective that data privacy extends throughout the entire data lifecycle, from acquisition through to destruction.
Albeit not exhaustive, this series of articles will compare the two laws in terms of the following topics:
POPIA was developed after the initial drafts of GDPR became available. This allowed South African legislators to learn from their European counterparts which led to many similarities. In fact, at face value POPIA may seem like a less verbose version of GDPR, making them interchangeable.
Other than the logical differences in scope (i.e. jurisdiction) and structure, there are a number of key differences that make POPIA challenging. Chief among these is the definition of “person” - where GDPR applies to natural persons as data subjects, POPIA applies to both natural and juristic persons. This adds a significant burden to compliance efforts.
Similarly, POPIA requires an information officer for all organizations to be registered with the Information regulator. With GDPR, not all organizations need a data protection officer.
With the overlap between POPIA and GDPR, preparation for one will contribute to preparation for the other. However, the significant differences between the two laws mean that compliance to one does not equal compliance to the other.
Join us over the next eight weeks as we delve into the laws, and how they will affect your organization.
From an SAP point of view, there is little distinction between GDPR and POPIA. If you’ve already prepared your systems for GDPR, you only need to revisit the small deltas as outlined in articles in this series. If you haven’t yet started a GDPR project, you shouldn’t get sidetracked by technology. The first step is to ensure you identify all sensitive personal information. You can only manage what you know.
Most likely your SAP systems don’t live on an island and interface with many other systems and providers, like your vendors, banks and client-facing systems. All these should be considered. Our Privacy Comply Methodology outlines the steps of a typical privacy compliance project. Only during the remediation phase do you implement technology that supports your privacy policies and processes.
Disclaimer: The information published in the blog post is for informational purposes only and should not be construed as legal advice. Please contact your legal adviser for further guidance on this topic.