What is POPI?

POPI is shorthand for the Protection of Personal Information Act No. 4 of 2013. It was speculated that the substantive portions of POPI were due to come into effect on 1 April 2020, by Presidential proclamation. However, this has not happened. POPI imposes conditions for the lawful processing of personal data of South African citizens residing in South Africa.

What is personal information?

'Personal information' refers to the information relating to an identifiable natural person and existing juristic persons. Examples of personal data include, inter alia, race, gender, biometric information, identifying number, e-mail address, physical address, bank account details.

What are some of the responsibilities of organisations involved in processing personal information?

You must ensure that you provide data subjects with information regarding who has accessed their personal information, for what purpose it will be used, who the recipients of the information will be, and the period for which the information will be retained.

Are South Africa juristic and natural persons obligated to comply with GDPR?

GDPR is shorthand for General Data Protection Regulation, which is law in the European Union. GDPR applies to every natural or juristic person, that processes personal data in relation to the offering of goods and services to, or monitoring behaviour of, EU citizens. A failure to comply with GDPR could result in varying consequences, including a written warning, and being subjected to periodic data protection audits. In more serious cases, administrative fines may be imposed. These fines could be up to 4% of the annual global turnover of the offender or €20 million.

According to POPI what is the time period within which a responsible party must notify the Information Regulator of a data breach?

Where a data breach has occurred, POPI requires that, within a reasonable time from the time in which the data breach occurred, the operator must notify the responsible party and the responsible party must in turn notify the Information Regulator and the data subject whose personal information has been unlawfully accessed. POPI does not provide a prescribed time period within which a responsible party must notify the Information Regulator.

What is the prescribed time period in terms of GDPR?

Under GDPR, the controller must notify the supervisory authority that has jurisdiction in the territory where the controller or processor concerned, or any data subjects affected, are located, within 72 hours of the data breach if there is a risk to a data subject’s rights and freedom.

What are some of the obligations that POPI imposes on responsible parties who engage the services of processors and operators to process data or personal information?

In terms of section 21 of POPI, there is an obligation on the responsible party to enter into a written contract with the operator, and the responsible party must ensure that the operator which processes personal information for it establishes and maintains the security measures referred to in section 19 of POPI. This would entail securing the integrity and confidentiality of personal information in its possession. They must also take measures to prevent loss, of damage to or unauthorised destruction of information and unlawful access to or processing of personal information.

If my business is incorporated in South Africa, do I still need to comply with the GDPR?

It depends, GDPR has “extra-territorial” effect. If you are providing services to customers who are citizens and residents domiciled in the European Union, then yes, GDPR will apply to you according to Article 3(2) of the GDPR.

I know POPI is based on GDPR, but are there any notable differences between them?

There are notable differences between POPI and GDPR. GDPR does not extend to the protection of non-natural persons, whereas POPI offers protection for entities as well. Article 35 of GDPR obliges a data controller to conduct data protection impact assessments, whereas POPI does not. Article 20 of GDPR provides that a data subject can request that their data be transferred to another data controller, a right which does not find its place in POPI. You should be aware of these differences if you are providing services to customers domiciled within the EU.