On 1 July 2020, South Africa’s Protection of Personal Information Act (POPIA) finally came into force, coming hot on the heels of other new privacy regulations, such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Most sections of the act are now officially law. But compliance isn’t mandatory until the remaining part of the legislation, which grants enforcement powers to South Africa’s new regulatory authority the Information Regulator, comes into effect on 1 July 2021. This means that, if your organization is subject to the POPIA, you only have a few months to comply.
POPIA only applies to companies based in South Africa or those that process personal data within South African borders. So, to check whether you need to comply, you’ll need to find out exactly where you’re processing personal data. This should include the whereabouts of not only your on-premises data centers but also your cloud-based deployments. Your cloud infrastructure will likely be the deciding factor, as both AWS and Microsoft Azure now have cloud regions in South Africa. So your company could well be using them in a bid to bring your data closer to African customers.
POPIA VS GDPR
Despite its slightly earlier origin, the POPIA is still very similar to the GDPR, sharing much the same guiding principles, including accountability, transparency, security, data minimization, purpose limitation and the rights of data subjects. In terms of how it defines personal data, the POPIA is more extensive than the GDPR, as it covers not only the information you collect about individuals but also about companies and other types of organisation. This is a significant departure from other data privacy laws. So it’s not yet clear how exactly it’ll work in practice. However, as your first step to compliance, you should reflect the new legal requirements in your contracts with partners, suppliers and vendors.
As with the GDPR, the POPIA classifies a separate subcategory of personal data, known as special personal information, which is more sensitive and therefore subject to stricter requirements. This mainly relates to an individual’s:
• religious or philosophical beliefs,
• race or ethnic origin
• trade union membership
• political persuasion
• sex life or sexual orientation
• physical, physiological or behavioral characteristics (biometric data)
In addition, the POPIA applies to the personal data of any individual—regardless of their nationality. So while the GDPR is only designed to protect EU citizens, the POPIA protects anyone whose personal data is processed within South African territory or by a South African undertaking.