In July 2020, the South African Parliament enacted POPIA. It is the nation’s latest and most prominent data privacy law governing the personal data of South Africans. With a series of new data privacy laws coming into effect worldwide – such as the GDPR and the CCPA – this marks the latest addition, enhancing South African regulations to reflect new global norms.
All organizations operating in South Africa must be knowledgeable about and compliant with the new standards. Otherwise, they risk incurring significant penalties and consequences.
POPIA, or Protection of Personal Information Act, was first passed in 2013. However, after seven years in legal limbo, the Act finally came into effect in July 2020, with a one-year grace period to help compliance. Even worse, POPIA was first drafted back in 2003 and went through numerous iterations.
In its present form, the law aims to give South African citizens’ rights over their personal data, including the right to correct, access, and delete any personal information an organization may possess.
Moreover, organizations do not need to be located inside South Africa for the law to be applicable. Indeed, like the GDPR, any organization possessing South African citizens’ personal data must be compliant with POPIA.
Like other data privacy laws, POPIA enshrines certain inalienable rights to data subjects. These guarantee greater control of personal data collection, use, and disclosure to individuals and ensure greater transparency from organizations.
According to Chapter 2(5), POPIA includes the right (important statements highlighted in bold):
In short, the Act guarantees a data subject the right to meaningful consent of the collection, use, or access of their data. They may also request the destruction or correction of their data. And, in circumstances where their rights are infringed, they have the right to raise a complaint and sue the organization in question.
Most data privacy laws have taken a broad stance when defining personal data. POPIA is no different. Here, it includes “any kind of information relating to an identifiable, living natural person, company, or similar legal entity.”
- Names, addresses, email, or phone numbers
- Identity markers: gender, age, ethnicity, sexual orientation, political beliefs, etc.
- Health data
- Online identifiers: cookies, IP addresses, browser history, location data, etc.
Under the GDPR, the financial penalties incurred can be substantial. POPIA includes lower financial penalties but does set out the possibility of imprisonment or sanctions for guilty parties.
Offences and non-compliance are the responsibility of the Information Regulator, and it is they who administers monetary and criminal penalties.
Section 109 states that the maximum fine for infringement is ZAR 10 million (approx. €490,000). Meanwhile, section 107 states that certain violations can result in a prison sentence of up to 10 years.
All complaints from data subjects must first be submitted to the Regulator, who is then charged with investigating the case. Then, the Regulator must decide whether to proceed with the action or desist from further penalties.
Following POPIA finally coming into effect, an organization operating in South Africa must ensure their compliance. Thankfully, those who are already GDPR-compliant will find little difference between the two acts. Indeed, the GDPRs eight conditions for lawful data processing are mirrored in POPIA.
In short, to guarantee you are in accordance with POPIA:
Follow these four simple steps, and you’ll be most of the way towards complete POPIA-compliance. For further information on the Act, please refer to the original legislation here.