In a progressively connected world, the protection of personal information and data has become a main concern for legislators in a number of jurisdictions. The right to privacy of each South African citizen, including juristic persons such as companies, closed corporations, etc. is entrenched as a human right in the Constitution of South Africa, 1996.
Businesses operational in South Africa are presently facing the enactment of the Protection of Personal Information Act 4 of 2013 (POPIA). POPI legislation will soon come fully into effect with its main objectives being to control the processing of personal information and data protection in a robust effort to align all South African data protection laws with international standards. An Information Regulator has already been appointed and is gradually becoming involved in matters relating to information security breaches.
As many South African businesses are already in the process of implementing systems to ensure POPI compliance, they cannot afford to ignore the European General Data Protection Regulations (GDPR) to be implemented soon. South African businesses are barely coming to grips with POPI and must now also get their heads around the implications of the European privacy and data protection legislation. This week, we are answering the most important questions that business may ask relating to this burning topic.
The GDPR is a new privacy and data protection law adopted by the European Parliament early in 2016. It has many similarities with the POPI Act (POPIA) and various other privacy laws globally. It aims to safeguard against any data and privacy breaches in a new global milieu where business has become entangled with technology and most data is conveyed electronically.
South Africa’s main data protection law, POPI, was enacted in 2013. Since then, certain provisions of the Act relating to the establishment of the Information Regulator and regulations under POPI have come into force. The full POPI Act will take effect once a date has been determined by the President.
The European Parliament set a two-year grace period implementation of the GDPR after it came into effect on 25 May 2018. The Information Regulator will most likely be guided by the implementation of the GDPR in order to determine the commencement date for POPI, with a one-year grace period for implementation.
The GDPR is seen as the international gold standard for protecting personal information and will impact on compliance obligations and monitoring and also advise all international stakeholders.
A key fact is that if we are not prepared to be compliant in order to do business with companies in European countries, we might be seen as a high-risk country from a personal information protection perspective in the case of those companies who need to be compliant.
The GDPR and POPI Act have similar definitions, conditions and principles. The GDPR covers the same fundamental rights but is far more extensive.
There are severe consequences for GDPR non-compliance, including a fine of up to 4% of an organisation’s annual global turnover or EUR20-million (whichever is greater). This may have devastating consequences for non-compliant organisations. In contrast, POPI’s penalty for non-compliance is a fine of up to R10 million or 10 years’ imprisonment.
Conforming to the legal framework to be in line with the GDPR will therefore be crucial for all South African businesses. The effect is that all South Africans will understand the value of personal information and start implementing measures to safeguard personal information as an organisational asset, taking the operational costs, technical measures and risks into account. The South African Information Regulator will start monitoring and enforcing the POPI Act to enhance cross-border cooperation and international harmony. Given the imminence of the 25 May 2018 enforcement deadline, it is now the time to get started with all compliance initiatives, and the same can be said for compliance with POPIA.
South African companies are encouraged to take the necessary steps to ensure compliance with POPI, which will also to a large extent ensure compliance with the GDPR to avoid unnecessary exorbitant statutory sanctioning. Compliance is inevitable. It doesn’t have to be complex. Business owners should engage with the right people to assess their businesses and assist with the development of an implementation strategy based on best practices that will streamline compliance.
About the Author: Retha van Zyl completed her BCom (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 where she currently holds the title of ‘Information Compliance Advisor’. She specialises in POPI and PAIA Compliance, which includes compiling and submitting PAIA Manuals to the Human Rights Commission. She is operationally involved with the POPI auditing process for our clients. She also compiles and implements Information Security Management Systems (ISMS) where she identifies the risks associated with information security in each department within an organisation.
© 2018 SERR Synergy. All Rights Reserved.