Businesses operating in South Africa are currently facing the imminence of the Protection of Personal Information Act 4 of 2013 (POPI). POPI will come into effect in its entirety, by presidential proclamation, on a date which is still to be determined. POPI’s objectives are to regulate the processing of personal information and data protection in an effort to align South African data protection laws with international standards. Although businesses operating in South Africa, from a data protection perspective, should be focused on putting systems in place to ensure compliance with POPI, they should not neglect the General Data Protection Regulations (GDPR). The European Union’s (EU) GDPR will come into force on 25 May 2018 and it has introduced improved data protection and privacy laws.
What businesses operating in South Africa need to be aware of is that the GDPR applies in EU member states as well as where data is transferred to or from the EU. This means that businesses operating in South Africa which engage in business with persons in EU member states will fall within the ambit of the GDPR. Notably, the GDPR will apply where businesses in South Africa:
- Process the data of an EU member state citizen or temporary resident
- Have employees based in an EU member state
- Offer goods or services in an EU member state
- Have a partnership with an EU business
Businesses in South Africa that have a presence in the EU will therefore need to be aware of the new requirements under the GDPR in order to continue to conduct their businesses in a data protection compliant manner.
The GDPR aims to safeguard against any privacy and data breaches in a new global environment where business has become intertwined with technology and where most of the data is electronically-transmitted. The GDPR is markedly different from its predecessor, Directive 95/46/EC, in that it creates one set of rules to be implemented uniformly across the EU with no room for interpretation or differing implementation by each EU member state.
The GDPR, in line with its risk-based approach for organisations to take responsibility for the way in which they process personal information, sets out severe consequences for non-compliance. The penalties for a breach under the GDPR can be a fine of up to 4 percent of their annual global turnover or €20 million (whichever is greater), which may have debilitating consequences for organisations in South Africa. In startling contrast, POPI’s penalty for non-compliance is a fine of up to ZAR10 million and/or 10 years' imprisonment.
In compliance with the GDPR and in preparation for POPI, South African organisations which process personal information can take steps to avoid heavy fines. One such step is conducting a comprehensive due diligence of its businesses to determine where and how the personal information of the data subjects is processed. This will then assist them to plan accordingly to make sure that appropriate measures are taken to ensure compliance with POPI and the GDPR.