Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

GDPR vs. POPIA: Comparing South African Version

Get Free GDPR Assessment
Published September 21, 2021
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

GDPR vs. POPIA: What do you need to know

South Africa's Protection of Personal Information Act (POPIA) came into effect on July 1st, 2021. POPIA appears to be based on the data protection framework set up by the GDPR. This is the first comprehensive legislation in South Africa that protects data privacy rights.

The two legislations have several similarities based on the scope and rights of consumers. That being said, there are significant differences between the two laws which make them unique and an organization aiming to comply with both will need to keep these differences into consideration.

One major difference between the two laws is where the GDPR protects natural persons, POPIA covers information relating to both natural persons and existing legal persons (organizations, companies etc...).

Both GDPR and POPIA allow organizations to process personal data only on lawful grounds. The common lawful grounds include the data subject’s consent, the performance of a contract, compliance with a legal obligation, legitimate interests of the controller, and performance of the public task. One minor difference is the lawful ground of “protection of the data subject’s or any other individual’s vital interests” under the GDPR that is comparable with the legal basis of “legitimate interest of the data subject” under the POPIA.

Let’s look into an overview of the comparison between POPIA and GDPR that we have prepared to help organizations to comply with both laws.


Application Scope

Both GDPR and POPIA apply to organizations that collect personal data belonging to EU and South African residents, respectively. POPIA also applies to existing legal persons (organizations). Also, both GDPR and POPIA must be implemented by public and private entities.

GDPR vs. POPIA: Comparing South African Version

Articles 3, 4(1)

Recitals 22-25

The GDPR applies to controllers or processors established in the EU, regardless of whether the processing takes place in the EU or not. It also applies to organizations that are not established in the EU but monitor individual’s behavior, as far as their behaviour occurs in the EU or offer goods or services to data subjects in the EU.

vs

Section 3

POPIA applies to organizations domiciled in South Africa. It also applies to organizations not domiciled in South Africa but process personal information in South Africa unless such processing is only used to forward the information through the country.


Data Subject Rights

Both GDPR and POPIA offer consumers certain rights, the details of which are different in each legislation. These small changes translate into huge operational differences when trying to comply with the law

GDPR vs. POPIA: Comparing South African Version
Articles 17 Recitals 65-66
  1. Data subjects have the right to request erasure of their personal data that must be responded to without undue delay.
  2. The right to erasure applies when the personal data is no longer necessary, when a data subject withdraws consent, when the data was unlawfully processed, or when data has to be erased for compliance with legal obligation.
  3. The right to erasure does not apply to the extent that the processing is necessary
    • For exercising the right of freedom of expression or information
    • For compliance with a legal obligation
    • For reasons of public interest
    • For establishment, exercise or defence of legal claims
    • For archiving purposes in the public interest, scientific or historical purposes or statistical purposes
vs

Sections 24

  1. Data subjects have the right to request destruction or deletion of their personal data that must be responded to as soon as reasonably practicable.
  2. The right to erasure applies when personal data is inaccurate, irrelevant or excessive, out-of-date, incomplete, misleading or obtained unlawfully.
  3. POPIA does not provide any specific scenarios when the right to erasure cannot be exercised.

Articles 13, 14 Recital 58

  1. Certain information relating to personal data processing must be provided to data subjects, whether or not personal data is collected directly from data subjects.
  2. It includes the information on identity and contact details of the controller, controller’s representative where applicable, controller’s data protection officer where applicable, the purposes of the processing, the lawful basis of the processing, the recipients or categories of recipients of personal data, and where applicable if the controller intends to transfer personal data outside the EU along with the mechanism used for the transfer as well as information necessary to ensure fair and transparent processing.
  3. Data controllers are also required to inform data subjects of the existence of data subjects’ rights.
vs

Section 18

  1. Organizations must take reasonably practicable steps to provide data subjects certain information in connection to their personal data prior to the collection or as soon as reasonably practicable after the information has been collected.
  2. It includes information on personal data being collected, the source from which data is collected (where data is not collected from the data subject), the name and address of the controller, the purpose, whether or not the supply of personal data is voluntary, the consequences for not providing the personal data, data controller’s intention of transfer of data to a third country where applicable, and data recipients, nature or category of personal data.
  3. Data controllers are also required to inform data subjects of the existence of their rights.

Articles 21
Recitals: 69, 70

  1. Data subjects have the right to object to the processing of their personal data where the processing is based on legitimate interests or public interest. As a consequence of any valid objection, the data. controller must no longer process the data subject’s personal data unless it can demonstrate compelling and legitimate grounds for the processing. These grounds must be sufficiently compelling to override the interests, rights, and freedoms of the data subject.
  2. Data subjects also have the right to object to their data being processed for direct marketing purposes.
vs

Sections 11

  1. Data subjects have the right to object, at any time, to the processing of personal information where the processing is based on legitimate interest of the data subject, performance of public law duty by a public body, or the legitimate interest of the controller or third party. The objection must be based on reasonable grounds relating to the data subject’s particular situation and may be refused if legislation provides for such processing.
  2. Data subjects also have the right to object to their data being processed for direct marketing purposes.

Article: 15
Recital: 63

  1. The right of access includes the right to obtain confirmation from the controller as to whether or not personal data is being processed and access to the personal data. Data controllers are required to include certain information in their response to an access request including the categories of personal data, data recipients, the purposes and retention periods.
  2. Deadline to respond is one month which can be extended to 2 further months depending on the complexity and number of the requests.
  3. A data controller can refuse to act on a request under certain circumstances. For example, the request to obtain a copy of personal information may be refused if granting it will adversely affect the rights and freedoms of others.
  4. The right to access can be exercised free of charge. However, a controller may charge a reasonable fee on manifestly unfounded or excessive requests, in particular because of their repetitive character. For example, an administrative fee may be charged for any further copies requested by the data subject.
vs

Section 23

  1. Data subjects have the right to confirm, free of charge, whether the organization holds any personal information concerning them. They also have the right to request the record or description of their personal information as well as the identity of all third parties or categories of third parties who have or had access to the information.
  2. Requests must be responded to 'within a reasonable time'. There is no specific time frame under the POPIA.
  3. A data controller may refuse to act on a data access request on grounds for refusal of access to records set out in the applicable sections of the Promotion of Access to Information Act.
  4. The right to confirm that a responsible party holds information must be provided free of charge. A prescribed fee may be charged for responding to a request concerning access of record or description of personal data.

Article 18
Recital 67

Data subjects have the right to obtain restriction of processing where accuracy of data is contested, processing is unlawful, the controller no longer needs the data for the purposes of the processing, or the data subject has objected to data being processed for direct marketing and objection is pending the verification.

vs

Section 14(6)

Data subjects have the right to obtain restriction of processing where accuracy of data is contested, processing is unlawful, the controller no longer needs the data for the purposes of the processing, or the data subject has requested to transmit the data into another automated processing system.

Article 16
Recital 65

Data subjects have the right to obtain from the controller the rectification of inaccurate personal data and to have incomplete personal data completed.

vs

Section 24

Data subjects have the right to request correction of their personal data. Data controllers must correct the information as soon as reasonably practicable.

Articles: 12, 20, 28
Recitals: 68, 73

Data subjects have the right to receive data in a structured, commonly-used, and machine-readable format and transmit the data to another controller.

vs

Section 14(6)

Under Section 14(6), POPIA allows data subjects to request to transmit the personal data into another automated processing system. It does not contain any further information on data portability.

Article 22

The GDPR provides data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them.

This prohibition against automated decision-making does not apply if the processing is authorized by law, necessary for the preparation and execution of a contract, or done with the data subject’s explicit consent. In such situations, the GDPR requires data controllers to implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller to express his or her point of view and to contest the decision.

vs

Section 71

The POPIA provides data subjects the right not to be subject to a decision which results in legal consequences for him/her/it, or which affects him/her/it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to conduct profiling.

This prohibition against automated individual decision-making does not apply if the processing is done in connection with the conclusion or execution of a contract or is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of data subjects.


Enforcement and Penalties

Both GDPR and POPIA place fines and penalties on organizations that fail to comply with their requirements..

GDPR vs. POPIA: Comparing South African Version

Articles: 83, 84
Recitals: 158, 149

  1. Fines may be issued directly by the relevant supervisory authority that also has a variety of other administrative and investigative powers.
  2. Depending on the circumstances of each individual case, the type of infringement and the severity of the violation, the administrative fine may be up to either: 2% of global annual turnover or €10 million; or 4% of global annual turnover or €20 million (whichever is higher).
  3. The GDPR does not specify any provisions for imprisonment. However, data subjects have a right to an administrative remedy including the right to lodge a complaint with the relevant supervisory authority as well as the right to an effective judicial remedy against a controller or processor.
vs

Section 74,

  1. Fines may be issued directly by the Information Regulator that has a variety of other corrective and advisory powers.
  2. Depending on the circumstances of each individual case, the fine may be up to ZAR 10 million or imprisonment up to 10 years for certain violations.
  3. Data subjects have a right to lodge a complaint with the Information Regulator or to request the Information Regulator to institute a civil action.

To know quick action items for compliance with POPIA, please refer to our Compliance Checklist for South Africa’s POPIA and refer to our Whitepaper on What do you need to know about South Africa’s POPIA for a detailed overview of POPIA.


Next Steps

In order to stay compliant with global privacy regulations, organizations need to recruit the help of automation. Privacy regulations are a tough obstacle to maneuver around, and with data and regulations growing simultaneously, it is virtually impossible for organizations to comply with manual methods.

Securiti offers organizations an AI-powered solution that will help them comply with any regulation in the world in a swift and efficient manner. Robotic automation and AI come together to give you a 360-solution for all your data compliance needs. To learn more about this solution visit https://securiti.ai/ to book a free demo.


Frequently Asked Questions (FAQs)

GDPR is the European Union's data protection regulation, while POPIA (Protection of Personal Information Act) is South Africa's data protection law. Both laws share similar principles but have differences in scope, requirements, and jurisdiction.

The GDPR is a comprehensive EU regulation, while the Data Protection Act (DPA) is specific legislation adopted by individual EU member states to supplement and implement GDPR within their national legal framework.

GDPR applies to the European Union and its member states. However, if a South African organization processes the data of EU residents, it may need to comply with GDPR requirements.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures View More
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures
The U.S. M&A landscape is back in full swing. May witnessed a significant rebound in deal activity, especially for transactions exceeding $100 million, signaling...
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS) View More
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS)
Learn more about Quebec's AHSSS, including its obligations on healthcare providers, researchers, and technology providers, with Securiti's latest blog.
View More
What is Automated Decision-Making Under CPRA Proposed ADMT Regulations
Learn more about automated decision-making (ADM) under California's CPRA, its regulatory approach to the technology, and how to ensure compliance.
View More
Is Your Business Ready for the EU AI Act August 2025 Deadline?
Download the whitepaper to learn where your business is ready for the EU AI Act. Discover who is impacted, prepare for compliance, and learn...
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
View More
Enabling Safe Use of Data with Amazon Q
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New