On May 25th, 2018, the most significant data protection initiative in 20 years came into effect: The General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect individuals in the EU and to give them control of how their personal information is used. However, the GDPR wasn’t just the first of its kind, it also set a standard for how data privacy protection. As a result, South Africa has now gotten its own data privacy law: The Protection of Personal Information Act (POPIA). POPIA shares some similarities with the GDPR but is in its entirety a completely different data protection legislation. Keep reading for a short introduction to POPIA and for a few examples of the differences between POPIA and the GDPR. The Protection of Personal Information Act POPIA was enforced on July 1st, 2021, and the data protection law is applicable for all companies and organizations that process personal information within South African territory. POPIA has a very broad definition of personal information. According to POPIA, personal information is information that is related to either a person, an organization, or a legal entity. POPIA sets 8 conditions for lawful data processing with the data controllers and data processors being responsible to verify that their activities are lawful. The 8 conditions are as follows: Accountability. Your company or organization is required to make sure that the 8 conditions for lawful data processing are met. Processing limitation. Your company or organization is required to perform lawful data processing at the most minimum level. Purpose specification. Your company or organization is required to perform lawful data processing for a specific purpose. Further processing limitation. In case of further data processing, your company or organization must ensure that this action is compatible with the purpose of the data collection. Openness. Your company or organization is required to ensure transparency about processing activities. Security safeguards. Your company or organization is required to ensure proper safekeeping of the personal information in your possession and to document these means. Data subject participation. Your company or organization is required to allow data subjects to access, correct, delete, or destroy their personal information. Three differences between POPIA and GDPR While the GDPR serves individual within the borders of the EU, POPIA seeks to protect individuals as well as companies and organizations. Under POPIA, companies and organizations can be protected as juristic persons. According to POPIA, it is a requirement for all companies and organizations to appoint an Information Officer. The GDPR, on the other hand, only calls for the appointment of a Data Protection Officer (DPO) if the company or organization has more than 250 employees. The responsibility of POPIA’s Information Officer role and area of responsibility differs from that of the GDPR’s Data Protection Officer. The size of the penalty for non-compliance also differs between POPIA and the GDPR. Should a company or organization fail to become compliant with the GDPR, they risk heavy fines of up to €20 million or 4% of the yearly global turnover, depending on which is higher. The penalty for non-compliance with POPIA can range up to $10 million ZAR.

On May 25th, 2018, the most significant data protection initiative in 20 years came into effect: The General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect individuals in the EU and to give them control of how their personal information is used. However, the GDPR wasn’t just the first of its kind, it also set a standard for how data privacy protection.
As a result, South Africa has now gotten its own data privacy law: The Protection of Personal Information Act (POPIA). POPIA shares some similarities with the GDPR but is in its entirety a completely different data protection legislation. Keep reading for a short introduction to POPIA and for a few examples of the differences between POPIA and the GDPR.

The Protection of Personal Information Act
POPIA was enforced on July 1st, 2021, and the data protection law is applicable for all companies and organizations that process personal information within South African territory. POPIA has a very broad definition of personal information. According to POPIA, personal information is information that is related to either a person, an organization, or a legal entity.
POPIA sets 8 conditions for lawful data processing with the data controllers and data processors being responsible to verify that their activities are lawful. The 8 conditions are as follows:
Accountability. Your company or organization is required to make sure that the 8 conditions for lawful data processing are met.
Processing limitation. Your company or organization is required to perform lawful data processing at the most minimum level.
Purpose specification. Your company or organization is required to perform lawful data processing for a specific purpose.
Further processing limitation. In case of further data processing, your company or organization must ensure that this action is compatible with the purpose of the data collection.
Openness. Your company or organization is required to ensure transparency about processing activities.
Security safeguards. Your company or organization is required to ensure proper safekeeping of the personal information in your possession and to document these means.
Data subject participation. Your company or organization is required to allow data subjects to access, correct, delete, or destroy their personal information.

Three differences between POPIA and GDPR
While the GDPR serves individual within the borders of the EU, POPIA seeks to protect individuals as well as companies and organizations. Under POPIA, companies and organizations can be protected as juristic persons.
According to POPIA, it is a requirement for all companies and organizations to appoint an Information Officer. The GDPR, on the other hand, only calls for the appointment of a Data Protection Officer (DPO) if the company or organization has more than 250 employees. The responsibility of POPIA’s Information Officer role and area of responsibility differs from that of the GDPR’s Data Protection Officer.
The size of the penalty for non-compliance also differs between POPIA and the GDPR. Should a company or organization fail to become compliant with the GDPR, they risk heavy fines of up to €20 million or 4% of the yearly global turnover, depending on which is higher. The penalty for non-compliance with POPIA can range up to $10 million ZAR. Image credit: Supplied

POPIA: Data protection in South Africa

(Partner Content) Keep reading for a short introduction to POPIA and for a few examples of the differences between POPIA and the GDPR.

On May 25th, 2018, the most significant data protection initiative in 20 years came into effect: The General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect individuals in the EU and to give them control of how their personal information is used. However, the GDPR wasn’t just the first of its kind, it also set a standard for how data privacy protection. As a result, South Africa has now gotten its own data privacy law: The Protection of Personal Information Act (POPIA). POPIA shares some similarities with the GDPR but is in its entirety a completely different data protection legislation. Keep reading for a short introduction to POPIA and for a few examples of the differences between POPIA and the GDPR. The Protection of Personal Information Act POPIA was enforced on July 1st, 2021, and the data protection law is applicable for all companies and organizations that process personal information within South African territory. POPIA has a very broad definition of personal information. According to POPIA, personal information is information that is related to either a person, an organization, or a legal entity. POPIA sets 8 conditions for lawful data processing with the data controllers and data processors being responsible to verify that their activities are lawful. The 8 conditions are as follows: Accountability. Your company or organization is required to make sure that the 8 conditions for lawful data processing are met. Processing limitation. Your company or organization is required to perform lawful data processing at the most minimum level. Purpose specification. Your company or organization is required to perform lawful data processing for a specific purpose. Further processing limitation. In case of further data processing, your company or organization must ensure that this action is compatible with the purpose of the data collection. Openness. Your company or organization is required to ensure transparency about processing activities. Security safeguards. Your company or organization is required to ensure proper safekeeping of the personal information in your possession and to document these means. Data subject participation. Your company or organization is required to allow data subjects to access, correct, delete, or destroy their personal information. Three differences between POPIA and GDPR While the GDPR serves individual within the borders of the EU, POPIA seeks to protect individuals as well as companies and organizations. Under POPIA, companies and organizations can be protected as juristic persons. According to POPIA, it is a requirement for all companies and organizations to appoint an Information Officer. The GDPR, on the other hand, only calls for the appointment of a Data Protection Officer (DPO) if the company or organization has more than 250 employees. The responsibility of POPIA’s Information Officer role and area of responsibility differs from that of the GDPR’s Data Protection Officer. The size of the penalty for non-compliance also differs between POPIA and the GDPR. Should a company or organization fail to become compliant with the GDPR, they risk heavy fines of up to €20 million or 4% of the yearly global turnover, depending on which is higher. The penalty for non-compliance with POPIA can range up to $10 million ZAR.

On May 25th, 2018, the most significant data protection initiative in 20 years came into effect: The General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect individuals in the EU and to give them control of how their personal information is used. However, the GDPR wasn’t just the first of its kind, it also set a standard for how data privacy protection.
As a result, South Africa has now gotten its own data privacy law: The Protection of Personal Information Act (POPIA). POPIA shares some similarities with the GDPR but is in its entirety a completely different data protection legislation. Keep reading for a short introduction to POPIA and for a few examples of the differences between POPIA and the GDPR.

The Protection of Personal Information Act
POPIA was enforced on July 1st, 2021, and the data protection law is applicable for all companies and organizations that process personal information within South African territory. POPIA has a very broad definition of personal information. According to POPIA, personal information is information that is related to either a person, an organization, or a legal entity.
POPIA sets 8 conditions for lawful data processing with the data controllers and data processors being responsible to verify that their activities are lawful. The 8 conditions are as follows:
Accountability. Your company or organization is required to make sure that the 8 conditions for lawful data processing are met.
Processing limitation. Your company or organization is required to perform lawful data processing at the most minimum level.
Purpose specification. Your company or organization is required to perform lawful data processing for a specific purpose.
Further processing limitation. In case of further data processing, your company or organization must ensure that this action is compatible with the purpose of the data collection.
Openness. Your company or organization is required to ensure transparency about processing activities.
Security safeguards. Your company or organization is required to ensure proper safekeeping of the personal information in your possession and to document these means.
Data subject participation. Your company or organization is required to allow data subjects to access, correct, delete, or destroy their personal information.

Three differences between POPIA and GDPR
While the GDPR serves individual within the borders of the EU, POPIA seeks to protect individuals as well as companies and organizations. Under POPIA, companies and organizations can be protected as juristic persons.
According to POPIA, it is a requirement for all companies and organizations to appoint an Information Officer. The GDPR, on the other hand, only calls for the appointment of a Data Protection Officer (DPO) if the company or organization has more than 250 employees. The responsibility of POPIA’s Information Officer role and area of responsibility differs from that of the GDPR’s Data Protection Officer.
The size of the penalty for non-compliance also differs between POPIA and the GDPR. Should a company or organization fail to become compliant with the GDPR, they risk heavy fines of up to €20 million or 4% of the yearly global turnover, depending on which is higher. The penalty for non-compliance with POPIA can range up to $10 million ZAR. Image credit: Supplied

On May 25th, 2018, the most significant data protection initiative in 20 years came into effect: The General Data Protection Regulation (GDPR). The purpose of the GDPR is to protect individuals in the EU and to give them control of how their personal information is used. However, the GDPR wasn’t just the first of its kind, it also set a standard for how data privacy protection.

As a result, South Africa has now gotten its own data privacy law: The Protection of Personal Information Act (POPIA). POPIA shares some similarities with the GDPR but is in its entirety a completely different data protection legislation.

The Protection of Personal Information Act

POPIA was enforced on July 1st, 2021, and the data protection law is applicable for all companies and organizations that process personal information within South African territory.  POPIA has a very broad definition of personal information. According to POPIA, personal information is information that is related to either a person, an organization, or a legal entity.

POPIA sets 8 conditions for lawful data processing with the data controllers and data processors being responsible to verify that their activities are lawful. The 8 conditions are as follows:

  1. Accountability. Your company or organization is required to make sure that the 8 conditions for lawful data processing are met. 
  2. Processing limitation. Your company or organization is required to perform lawful data processing at the most minimum level.
  3. Purpose specification. Your company or organization is required to perform lawful data processing for a specific purpose.
  4. Further processing limitation. In case of further data processing, your company or organization must ensure that this action is compatible with the purpose of the data collection.
  5. Openness. Your company or organization is required to ensure transparency about processing activities.
  6. Security safeguards. Your company or organization is required to ensure proper safekeeping of the personal information in your possession and to document these means.
  7. Data subject participation. Your company or organization is required to allow data subjects to access, correct, delete, or destroy their personal information.

Three differences between POPIA and GDPR

While the GDPR serves individual within the borders of the EU, POPIA seeks to protect individuals as well as companies and organizations. Under POPIA, companies and organizations can be protected as juristic persons.

According to POPIA, it is a requirement for all companies and organizations to appoint an Information Officer. The GDPR, on the other hand, only calls for the appointment of a Data Protection Officer (DPO) if the company or organization has more than 250 employees. The responsibility of POPIA’s Information Officer role and area of responsibility differs from that of the GDPR’s Data Protection Officer.

The size of the penalty for non-compliance also differs between POPIA and the GDPR. Should a company or organisation fail to become compliant with the GDPR, they risk heavy fines of up to €20 million or 4% of the yearly global turnover, depending on which is higher. The penalty for non-compliance with POPIA can range up to $10 million ZAR.