While the Protection of Personal Information Act (POPI Act) was enacted as far back as 2013, many people are left to speculate as to when the commencement date shall be, as the one year grace period starts to run from the time of commencement thereof. As if this waiting game isn’t the cause of sufficient frustration with the provisions of the POPI Act, individuals, employers and business owners alike now have to become acquainted with the General Data Protection Regulation (GDPR) in order to suss out the need to fall in line therewith.
It is accepted that the GDPR, placed into operation in 2016, has set a global standard in terms of protection of data. Many people wish to understand how GDPR affects the POPI Act when the Act itself remains, for the most part, inoperative.
The GDPR shall apply to all data processing activities that are done by a controller in the European Union (EU). It applies to the processing of personal information of all data subjects that reside in the EU. Should any individual or business offer or provide goods or any form of a service to any citizens of Europe, then the individual or business shall be obligated to follow the provisions of the GDPR.
Business owners want to be aware of what their obligations are. Do they recognise and comply with both? Does POPI hold more weight than GDPR? The most pressing concern amongst many people would be the possibility of conflicting provisions between the two. If one studies the European Regulations together with the POPI Act, one shall quickly come to realise both are based on similar data protection regulations.
For those businesses who have not yet begun any form of compliance strategies with the POPI Act, the best course of action would be to determine whether or not you need to comply with the GDPR. The following points ought to be kept in mind:
Do you have a business or activity that has been established in the EU? Are you a supplier offering goods and/or services to citizens within the EU? Are you monitoring the behavioural patterns of citizens within the EU? Do you have a processor of data in the EU?
The deadline for compliance with the GDPR was 25 May 2018, while it is anticipated that the deadline for compliance with the POPI Act shall be by or during 2020. It may be advisable for individuals, who likely fall within the criteria as mentioned above, to seek official GDPR and POPI Act comparison reports in the event that business requirements demand that they understand the differences between the two.
The long and the short of it is: GDPR is not an adequate replacement of the POPI Act but the POPI Act may yet have to be amended in order to uphold the requirements set by the GDPR. It is the prevailing thought amongst analysts that the POPI Act will have to be tweaked in order to be brought in line with GDPR if we are to attract more business and therefore build on our economy. This makes sense, when we remember that the EU is one of South Africa’s largest trade partners. It remains to be seen whether the Information Regulator shall interpret the POPI Act in line with GDPR, or whether additional regulations may yet need to be announced in this regard.
ABOUT THE AUTHOR
Meggan Watson is a SEESA Labour, Consumer Protection and POPI Legal Advisor at our Port Elizabeth office. Prior to joining SEESA in 2015, she completed her Articles of Clerkship in Bloemfontein.