In an increasingly connected world, the protection of privacy and personal data has become a key concern for legislators in a number of jurisdictions. In South Africa, an attempt to give effect to the constitutional right to privacy resulted in the Protection of Personal Information Act, 2013 (“POPI”), which was gazetted on 26 November 2013. Since then, certain provisions of the Act relating to the establishment of the Information Regulator and the making of regulations under POPI have come into force. Subsequent to this, an Information Regulator was appointed and draft regulations in terms of POPI have been published. The full Act will come into force on a date to be determined by the president by proclamation in the gazette.
POPI is largely based on the European Union Data Protection Directive (“EU Directive”) and also has a Commonwealth influence. While many South African businesses are already in the process of putting systems in place to ensure compliance with POPI, they should not neglect to take into consideration whether they must also comply with the General Data Protection Regulation (“GDPR”), which is set to replace the EU Directive on 25 May 2018. Unlike the EU Directive, the GDPR creates one set of rules to be implemented uniformly across the EU, with no room for interpretation or differing implementation by each EU member state.
Why is an EU law important to organisations in South Africa? The GDPR applies to personal data processing in EU member states, as well as to the transborder transfer of such data. It also specifically applies to businesses that are not established in the EU, but that offer goods or services to EU-based individuals (free or paid) and websites or other online services accessed by, or targeting, EU-based individuals, particularly in the country’s local language.
There are severe penalties for non-compliance with the GDPR, including a fine of up to 4% of an organisation’s annual global turnover or EUR20-million (whichever is greater). This may have debilitating consequences for non-compliant organisations in South Africa.
South African companies are therefore urged to take steps to ensure compliance not only with POPI, but also with the GDPR, where applicable, to avoid heavy fines.