IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
South Africa's Protection of Personal Information Act (POPIA) came into effect on July 1st, 2021. POPIA appears to be based on the data protection framework set up by the GDPR. This is the first comprehensive legislation in South Africa that protects data privacy rights.
The two legislations have several similarities based on the scope and rights of consumers. That being said, there are significant differences between the two laws which make them unique and an organization aiming to comply with both will need to keep these differences into consideration.
One major difference between the two laws is where the GDPR protects natural persons, POPIA covers information relating to both natural persons and existing legal persons (organizations, companies etc...).
Both GDPR and POPIA allow organizations to process personal data only on lawful grounds. The common lawful grounds include the data subject’s consent, the performance of a contract, compliance with a legal obligation, legitimate interests of the controller, and performance of the public task. One minor difference is the lawful ground of “protection of the data subject’s or any other individual’s vital interests” under the GDPR that is comparable with the legal basis of “legitimate interest of the data subject” under the POPIA.
Let’s look into an overview of the comparison between POPIA and GDPR that we have prepared to help organizations to comply with both laws.
Both GDPR and POPIA apply to organizations that collect personal data belonging to EU and South African residents, respectively. POPIA also applies to existing legal persons (organizations). Also, both GDPR and POPIA must be implemented by public and private entities.
Articles 3, 4(1)
Recitals 22-25
The GDPR applies to controllers or processors established in the EU, regardless of whether the processing takes place in the EU or not. It also applies to organizations that are not established in the EU but monitor individual’s behavior, as far as their behaviour occurs in the EU or offer goods or services to data subjects in the EU.
Section 3
POPIA applies to organizations domiciled in South Africa. It also applies to organizations not domiciled in South Africa but process personal information in South Africa unless such processing is only used to forward the information through the country.
Both GDPR and POPIA offer consumers certain rights, the details of which are different in each legislation. These small changes translate into huge operational differences when trying to comply with the law
Sections 24
Articles 13, 14 Recital 58
Section 18
Articles 21
Recitals: 69, 70
Sections 11
Article: 15
Recital: 63
Section 23
Article 18
Recital 67
Data subjects have the right to obtain restriction of processing where accuracy of data is contested, processing is unlawful, the controller no longer needs the data for the purposes of the processing, or the data subject has objected to data being processed for direct marketing and objection is pending the verification.
Section 14(6)
Data subjects have the right to obtain restriction of processing where accuracy of data is contested, processing is unlawful, the controller no longer needs the data for the purposes of the processing, or the data subject has requested to transmit the data into another automated processing system.
Article 16
Recital 65
Data subjects have the right to obtain from the controller the rectification of inaccurate personal data and to have incomplete personal data completed.
Section 24
Data subjects have the right to request correction of their personal data. Data controllers must correct the information as soon as reasonably practicable.
Articles: 12, 20, 28
Recitals: 68, 73
Data subjects have the right to receive data in a structured, commonly-used, and machine-readable format and transmit the data to another controller.
Section 14(6)
Under Section 14(6), POPIA allows data subjects to request to transmit the personal data into another automated processing system. It does not contain any further information on data portability.
Article 22
The GDPR provides data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them.
This prohibition against automated decision-making does not apply if the processing is authorized by law, necessary for the preparation and execution of a contract, or done with the data subject’s explicit consent. In such situations, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller to express his or her point of view and to contest the decision.
Section 71
The POPIA provides data subjects the right not to be subject to a decision which results in legal consequences for him/her/it, or which affects him/her/it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to conduct profiling.
This prohibition against automated individual decision-making does not apply if the processing is done in connection with the conclusion or execution of a contract or is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.
Both GDPR and POPIA place fines and penalties on organizations that fail to comply with their requirements..
Articles: 83, 84
Recitals: 158, 149
Section 74,
To know quick action items for compliance with POPIA, please refer to our Compliance Checklist for South Africa’s POPIA and refer to our Whitepaper on What do you need to know about South Africa’s POPIA for a detailed overview of POPIA.
In order to stay compliant with global privacy regulations, organizations need to recruit the help of automation. Privacy regulations are a tough obstacle to maneuver around, and with data and regulations growing simultaneously, it is virtually impossible for organizations to comply with manual methods.
Securiti offers organizations an AI-powered solution that will help them comply with any regulation in the world in a swift and efficient manner. Robotic automation and AI come together to give you a 360-solution for all your data compliance needs. To learn more about this solution visit https://securiti.ai/ to book a free demo.
GDPR is the European Union's data protection regulation, while POPIA (Protection of Personal Information Act) is South Africa's data protection law. Both laws share similar principles but have differences in scope, requirements, and jurisdiction.
The GDPR is a comprehensive EU regulation, while the Data Protection Act (DPA) is specific legislation adopted by individual EU member states to supplement and implement GDPR within their national legal framework.
GDPR applies to the European Union and its member states. However, if a South African organization processes the data of EU residents, it may need to comply with GDPR requirements.
Get all the latest information, law updates and more delivered to your inbox
September 13, 2023
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
September 11, 2023
In January 2020, Indonesia joined the burgeoning list of countries with their own data protection regulations. Provisions for data protection had existed within various...
August 31, 2023
Countries across the world have drafted or are in the process of drafting their own versions of data protection legislation. This reflects just how...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128