Data Protection in South Africa

When it comes to data protection, there is a lot of uncertainty around compliance and regulations. However, in the age of Big Data and an increasing number of data privacy breaches, individuals and companies need to get up to speed on the regulations around privacy practices and data protection. Kagiso Rangaka (Manager, Michael Page Information Technology) interviewed Imraan Kharwa – a Data Protection Specialist at a Global Consultancy, who offers a top level overview of the rules around data protection in South Africa. 

1. What is data protection/privacy? 

Data protection is the process of safeguarding important information from corruption, compromise or loss. Examples include: data breaches, loss of sensitive data and data that is rendered unreadable or unusable. 

Data privacy, by contrast, is the necessity to preserve and protect any personally identifiable information, whether of individuals or juristic entities (in the South African context) collected by any organization. Data privacy spans the entire life cycle of personal information within an organisation, from collection through to destruction or de-identification (anonymization). 

2. What is “personal data?” 

Personal data, as defined by the European Data Commission, is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitutes personal data. In South Africa, this also encompasses the personal data of juristic entities. 

3. What is POPIA? 

The Protection of Personal Information Act 4 of 2013 (POPIA) is the comprehensive data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information. The date when POPIA will come into effect has not been set as at the time of writing. 

4. What is GDPR? 

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individuals, citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA areas and regulates data protection within the EEA and outside of it. The GDPR has been in effect since 25 May 2018. 

5. What are the major differences between GDPR and POPIA? 

The major differences between POPIA and the GDPR include, but are not limited to: 

• POPIA regulates the processing of personal data of juristic entities as well as individuals, while the GDPR only regulates those of individuals. 
• The GDPR has extra-territorial application – meaning it applies to processors of personal data outside of the European Economic Area while POPIA is limited to processing within the territory of South Africa. 
• The GDPR mandates privacy impact assessments, privacy by design and default – concepts that are not found within POPIA. 
• The consequences for breaches are different. POPIA sets a maximum fine of R10 Million for non-compliance, while the GDPR expands this to 20 Million Euro, or 4% of company’s worldwide turnover. 

6. When will the regulation (both GDPR and POPIA) come into effect? 

• The GDPR is in full effect as at 25 May 2018. 
• The effective date for POPIA has not yet been set, but final versions of the regulations were published on 14 December 2018. 

7. Who will be affected? 

• All organisations that process personal data or personal information. 
• All individuals, whose personal information or data are processed by organisations 
• Juristic entities in South Africa whose personal information is processed by organisations. 

8. What responsibilities will companies have under this new regulation? 

Companies will have to ensure that they are in full compliance with the applicable data protection legislation based on their data processing practices. Data protection requires a multifaceted and multi-disciplinary approach and is a critical aspect of any organisation’s risk mitigation strategy. 

9. What are the penalties for failing to comply with the laws? 

• POPIA sets a maximum fine of R10 Million for non-compliance or 10 years imprisonment. 
• The GDPR expands financial penalties to 20 Million Euros, or 4% of company’s worldwide turnover. 

10. Do you think there is enough awareness across organizations around GDPR and POPIA compliance requirements? 

Almost universally, the approach has been to date, reactive as opposed to proactive. Organisations would be well advised to take data privacy more seriously and consider the financial and reputational consequences of non-compliance with data protection legislation. 

11. Who in organizations should be leading the change to ensure compliance with data privacy laws once GDPR and POPIA come into effect? 

This may vary from organisation to organisation and will include a designated Information Officer or Data Protection Officer in most cases.

If you would to hire Chief Data Officers, Data Protection Officers, Data Privacy Specialists or any related roles, please get in touch with us. Opportunities only seem to be increasing in this space, so if you are ready to explore a new role, sign up to receive our job alerts.