South Africa’s New Data Privacy Law

The Protection of Personal Information Act (POPIA)will come into effect in South Africa on July 1st, 2021 after a seven year wait. POPIA is the EU General Data Protection Regulation (GDPR) equivalent of South Africa or the CCPA for California. Basically, the act is a new consumer data protection legislative framework. The legislation looks to safeguard personal information, and by doing so it promotes the fundamental right to privacy. 

The POPIA fundamentals focus on restricting the flow of information, advancing individuals’ rights to access their data, and establishing eight requirements or minimum thresholds. When gathering, sorting, storing, and exchanging personal information, it will require both public and private bodies to comply with the requirements.

The Eight Requirements under POPIA

POPIA mainly applies to companies and people processing data for commercial purposes and IDG Connect outlined the eight main features of the legislative framework, which are:

  1. Accountability. The data processor takes on all responsibility for ensuring the rest of the conditions are met. 
  2. Processing Limitation. Strict limitations on what kind of data processing is allowed, including only processing relevant data with a specific purpose and allowing data subjects to object/withdraw consent at any time. 
  3. Purpose specification. Restricts reasons behind data collection to “specific, explicitly defined and lawful” purposes – essentially, data collection must revolve around your normal business activities. Your data subjects must also be aware of these reasons. 
  4. Further processing limitation. Puts limitations on how organisations can further process data from their original intent, so that any further processing must be “compatible with the purpose for which it was (originally) collected”. 
  5. Information quality. Stipulates that organisations must ensure collected data is complete and accurate. 
  6. Openness. Regards data processors’ responsibilities under South Africa’s Promotion of Access to Information Act, requiring documentation of data processing activities and proactive data subject notification when data is collected. 
  7. Security safeguards. Outlines the security requirements – described as “appropriate, reasonable technical and organizational measures” – organisations must take to keep personal data safe. 
  8. Data subject participation. Defines the rights of data subjects including the right to access their own data, to be able to request and receive corrections within a timely manner.

The “Faults” in the Framework

In comparison to the EU’s General Data Protection Regulation (GDPR) and even California’s CCPA, the POPIA is not considered as consumer focused. For instance, the GDPR covers all EU citizens’ data and protects it regardless of what country or where the data is being processed. The POPIA is restricted to protect only data that is being processed within the borders of South Africa. While the GDPR applies only to information about living people, POPIA mainly applies to data and information gathered about corporations, associations, trusts and other businesses. So the POPIA is actually much more stringent on corporations and data collecting organizations in comparison to the GDPR. 

While it is concerning that POPIA doesn’t apply to anybody processing data outside of the borders of South Africa, this is still a big step for South Africa in regards to someday having a similar framework as the GDPR. The provisions of the GDPR would not be met by organizations not in accordance with POPIA. This would make it nearly impossible for South African organizations to do international business if they are not POPIA compliant.