What you need to know about GDPR and what it means for the POPI Act compliance.
Welcome back to Digital Cabinet’s series all about things Compliance. Last time, we thought we’d start with a confusing subject for many businesses: South Africa’s Protection of Personal Information (POPI) Act. Particularly, we broke down what it is, when it will come into effect, and what it means for your business.
This time, we’re looking at a similar set of data protection laws that are in effect in the European Union: the General Data Protection Regulation.
But how, you may be asking, does a set of privacy policies in the European Union affect businesses in South Africa?
What is the GDPR?
South Africa’s Protection of Personal Information Act (the POPI Act, or POPIA) is a means of safeguarding how businesses collect and handle personal information.
Similarly, the EU’s General Data Protection Regulation (or, GDPR) regulates the same processes, but could be seen as a related and broader version of the POPI Act—an older sibling, if you will.
Both are responsible for legislating and regulating ‘new rules’ for what personal information may be used for, as well as how and if the information can be shared, how that information must be stored security-wise, and what protocols must be in place if an organization’s systems have been breached.
In a nutshell, the GDPR applies to any instances where personal data processing activities are conducted by an EU-based controller (i.e. the party responsible for processing personal data).
Importantly, it also applies to all entities within or outside the EU that processes personal data of EU citizens, no matter the capacity of that data-processing—even if you are merely storing personal information, these regulations apply.
GDPR compliance is only necessary if a business or organization does or has one or more of the following:
- An organization has a legal entity in the European Union—for example, a company.
- An organization sells goods or services to EU citizens.
- An organization monitors the behaviour/data of EU citizens or individuals in the EU.
- An organization is established in the EU in some other way—this is a bit vague and regulated on a case-by-case basis, but essentially this covers if you have equipment (such as servers) based in EU, and/or you have representatives in EU countries (be it a branch, subsidiary or agent).
The above are reasons for how businesses based in South Africa could be affected by the GDPR.
The GDPR vs. the POPI Act
While the GDPR was being drafted, the POPI Act was being finalized and thus the latter had the opportunity to incorporate some of the GDPR’s concepts.
As a result, both legislations are both similar with their general wording concerning the conditions and regulations implied, with only the terminology slightly different. For example, the GDPR has terms such as “controller,” “processor,” and “data protection officer”, whereas the POPI Act uses terms like “responsible party,” “operator” and “information officer” respectively. All these terms correlate to each other and have essentially the same definitions and purpose.
However, as the GDPR was then finalized and passed—having gone into effect in May of 2016, and its two-year grace period for compliance ending in May of 2018. Several changes were implemented from the early drafts, and thus there are some key differences between the two.
Some differences show up in the basic functions of both regulatory policies: whereas the GDPR sets certain risk levels for particular data types, and requires data impact assessments, the POPI Act does not and holds all personal data types as equal in terms of risk and importance. The GDPR also provides exemptions for some SMEs while the POPI Act does not
Another difference comes in with respect to ‘data protection officers’ and ‘information officers’: the GDPR makes the data protection officer’s role obligatory only for certain types of organizations that handle certain types of data of a certain risk level, whereas the POPI Act makes information officers the default in all businesses and organizations.
While these variations are important, they are still only relatively minor—both still regulate what personal information is processed and how it is done.
The main differences between the two, however, involve their scopes of jurisdiction.
The POPI Act has relevance to South African businesses in South Africa only, and reaches only as far as South African businesses that use international data controllers to process data.
In order to be POPI compliant, South African businesses that store data, or use third-party organizations to process that data, in a foreign country—or servers that are based in a foreign country—must ensure that that country has equally as stringent data protection laws in place.
The POPI Act also regards businesses as people and thus extends the protection of personal information to information collected about businesses and companies, not only of individuals.
The GDPR however, not only covers individual EU citizens’ data but extends even further in terms of jurisdiction by including all business outside of the EU that do business within the EU or with EU nationals, regardless of where the business is located and handles data.
One of the biggest differences between two is in terms of penalties: whereas failure to comply to the POPI Act could result in fines or legal action and possibly even incarceration, GDPR does not have such legal measures in place.
Instead, failure to comply with GDPR regulations can result in fines of up to 4% of a non-compliant organization’s global annual turnover or €20 million, whichever is greater—which can be crippling for South African-based companies.
What does the GDPR mean for the POPI Act compliance?
Generally speaking, if you are fully-compliant with GDPR then you should be sufficiently compliant for the POPI Act.
While both pieces of legislation are largely the same, their differences mean that getting a handle on which to be compliant with is a bit tricky.
This can get especially nebulous when considering that have already made moves to be GDPR compliant might not know if those steps are sufficient in terms of the POPI Act, or vice versa.
However, being POPIA compliant is not necessarily being GDPR-compliant. POPIA compliance can be seen as a stepping-stone to GDPR compliance—while there will be a few extra steps to undertake, it shouldn’t be an entirely separate process.
As a result, it is recommended that you do your research in order to ensure that you are compliant and ensure that you are certain of if and how you are processing and handling personal data.
For newer businesses, compliance should be part of any startup, so ensuring both POPIA and GDPR compliance can be handled at the same time. For more established organizations that often have legacy systems in place, compliance in either can often mean an overhaul of their systems.
Here are a few tips to get you started on GDPR compliance:
- Audit your data: what data do you store, how and where is stored, can it be deleted, and is it even necessary to keep that data at all?
- Revise your subscription processes: can your customers opt-in/opt-out easily? How can you monitor who has what permissions and what permission is necessary for what data type?
- Determine your liability status: are you a Controller or a Processor of your data? Do you store and process the data yourself, or do you use a third-party to do it for you? Do you have the necessary contracts in place?
- Educate management and employees: do the people that make up your business know what POPI is and why it is important? Do they know what GDPR is and what it means for liability and what the repercussions of non-compliance are?
- Establish data breach policies: if a data breach does occur, what systems, policies, and procedures do you have in place to detect and report the breach?
A person’s online privacy—the protection of their personal information—is not just an ideal; it is a human right.
Because the internet has now made international borders virtually obsolete in doing business, it is incredibly important to do your due diligence and make sure you have the correct procedures and security measures in place to safeguard personal information, responsibly and transparently—even just having a website that has a language option for an EU language could be a reason to be GDPR compliant.
With recent scandals such as cybercriminal hacks into Liberty Holdings and mega-corporations, such as Facebook playing fast and loose with people’s personal information, security and governmental safeguards from such invasions of privacy occuring again are more important than ever.
As Digital Cabinet is cloud provider, we have a responsibility to ensure that your data is secure, private and that only the people with permission to do so have access to your data. Our reporting tools are there to help you process your data in the way that best suit your business. And secure it is: our servers are encrypted and monitored and access to the platform is secured by the latest security measures.
Even within the platform, you have full control of your own data. Our Permissions Manager means that you can manage exactly who can see what and to what extent—all easily customizable to suit your needs.
Digital Cabinet is here to ensure your business works smoothly and efficiently with digital, paperless and automated processes and workflows so that you can spend less time on the mundane, yet essential tasks of running your business and more time on focusing on tasks that are profitable—what you do best.
You can find out more about Digital Cabinet at www.digitalcabinet.co.za