The EU’s General Data Protection Regulation (GDPR) takes effect on 25 May 2018. And while organisations across the EU are scrambling to get their affairs in order, even in South Africa we receive e-mails telling us that we must become GDPR compliant by the deadline. But is this true for South Africa?

The GDPR is an EU regulation. It does not have general effect in South Africa and is not a local law in this country. But, parties that process personal information in South Africa might still have to comply with the GDPR, because the GDPR does have so-called “extra-territorial application”. A person or entity in South Africa will need to comply with the GDPR’s requirements if they process personal information of someone based in the EU. But this will only be the case if the information is processed in relation to the offering of goods or services or the monitoring of behaviour that takes place in the EU. For example, you will need to comply with the GDPR if you sell products to people in the EU or if you have a website that tracks the behaviour of people in the EU by using cookies. Of course, it remains to be seen how the GDPR will actually be enforced against parties outside the EU.

Even though the GDPR might not apply to you, it is still a good time to start getting ready for POPI – South Africa’s own data protection law. POPI is based on the GDPR’s predecessor, the EU Data Protection Directive. There are also many similarities between POPI and the GDPR. You can learn more about POPI readiness here.

This article was first published on, Partner, Danie Strachan’s LinkedIn Profile