It all begins in that split-second during birth where a person is identifiable by a name and number, that’s when the processing of personal information occurs. Surprisingly, the same rule applies to entities, the moment they obtain a name and Registration number, they are identifiable in the eyes of the Law. Now, questions and ambiguity kick in. Is personal information protected? Does a person understand and consent to the processing of their information? And what happened to the Constitutional right to Privacy?
The Protection of Personal Information Act (POPIA) and General Data Protection Regulations (GDPR) were introduced to specifically clarify Data protection and privacy. Both these regulations are utilised as a tool that provides a person with a degree of control over their personal information in instances where it is being collected, stored, used, or communicated by another person or institution. However, a lot of questions still transpire in relation to which legislation best serves us, is it POPIA or GDPR? This article will briefly highlight and illustrate the difference between the POPI Act and GDPR, It will also touch base with how one can implement both these legislations in an organisation or individual, and lastly, the article will focus on the practicable regulation that serves us better in data protection and information processing.
Let’s firstly understand the following legal terms:
Personal information – means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person.
Processing – means collecting, buying, selling, storing, deleting, and using personal information.
The Protection of Personal Information Act No.4 was enacted in 2013 to give effect to section 14 of the Constitution of the Republic of South Africa, which makes provision for the right to privacy. The purpose of this act is to promote the protection of personal information processed by public and private bodies, provide a guideline on the minimum requirements for the processing of personal information, and other requirements of privacy. The POPI Act consists of 8 conditions that serve as a guideline for the lawful processing of personal information, such conditions are binding to any responsible party who is processing personal information.
General Data Processing Regulation 2016 is a new data protection Law enacted in Europe that will apply to the whole of the European Union (EU) and many organisations in other parts of the world. It sets out several requirements for anyone who controls personal data to lawfully use it. GDPR comprises 99 articles and 173 Recitals that apply to the processing of personal data done either entirely or partially by automated means and where personal data is any information that identifies the data subject (person). This regulation makes it simpler and cheaper for organisations to do business in the EU and around the world since they will only have to deal with one supervisory authority.
Therefore, the difference between the POPI Act and GDPR is that POPIA only applies in South Africa, whereas, GDPR was enacted in Europe but now applies globally.
If any organisation wishes to do business in Europe or any other country, they will have to comply with GDPR as an International regulation. In South Africa, any organisation or a responsible party that wishes to process personal information is obliged to comply with the POPI Act. Both these regulations are there to assist and ensure that data protection is implemented in all organisations in South Africa as well as globally. It is, therefore, advisable that everyone practices both these regulations to promote the lawful processing of personal information.
Which regulation serves us best in the protection of our data and processed information? Michalson (2002) writes “The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South Africa enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that the South African Parliament would need to change POPIA significantly. The GDPR is more an update to data protection law, rather than a complete overhaul. For those who have already done much to comply with POPIA or the GDPR, it is good news. They won’t need to start again. But they will need to tweak what they have been doing. And in some cases, the GDPR will even help by providing answers to questions we have been asking”. It is therefore clear that both POPI Act and GDPR will serve us better individually and in our organisation when processing and retaining data, however, we should all bear in mind that the POPI Act is a requirement in South Africa only, not globally, whereas GDPR applies globally especially for organisations who wish to be in partnership with international companies.
How can WWISE assist your organisation in implementing POPIA & GDPR?
WWISE strives to ensure that all clients are POPIA & GDPR compliant by providing plans and strategies to utilise during implementation. At WWISE, we will assist your organisation in answering What, Who, How, Which and When questions.
- What personal information is being processed?
- Who processes the information and who has access to it?
- How is the information processed, is it lawful and not infringing any personal rights?
- Which security measures are applicable in safeguarding personal information?
- When to destruct and delete the information?
For more information on POPIA implementations and compliance in your business, contact WWISE on 08610 99473 or 021 525 9159 (Cape Town ) or visit https://www.wwise.co.za
You can find out more here: https://wwise.co.za/dev-final/ict-governance/#popi