Similar to GDPR, the Protection of Personal Information Act (POPIA or POPI Act) took effect in South Africa on July 1, 2020. From this date on, businesses and companies had a grace period of 12 months to update their systems and be POPIA compliant. But what is the Act about, and is it the same as GDPR?
POPIA stands for Protection of Personal Information Act, while POPI is shorthand for Protection of Personal Information.
Is there really a difference between the two terms? Well, let’s say that to comply with POPIA, you need to implement a POPI program – POPI is the act of protecting personal information.
What is sure is that POPIA lays down eight mandatory conditions for lawful processing.
These include: Accountability, Processing, Limitation Purpose, Specific Further Processing Limitation, Information Quality, Openness, Security, Data Subject Participation.
POPI applies to any person, business or entity that processes personal information of data subjects. When referring to this Act, the term “processing” is crucial. In fact, processing involves anything done with personal info, from the moment it is collected to the moment it is destroyed. So, if your business is domiciled in South Africa or processes personal information in South Africa, you must comply with POPIA.
POPIA is about where you process and not who your data subjects are
However, if you are processing for a personal reason, then POPIA won’t apply to you.
Does POPI Act preclude direct marketing? No, it doesn’t. But marketing must indeed include now an “opt-in” option, meaning that consumers have to actively accept to receive promotional messages. And what about existing subscribers? You can still contact them as you don’t need to obtain new explicit consent. However, they have the right to withdraw their consent whenever they want to. In short:
For new potential customers, consent is required, and the deactivation option must be guaranteed
For existing customers, a deactivation option should be provided.
You should be well aware of the risks of non-compliance. To begin with, POPIA provides for sanctions for persons, which may include both natural and juristic persons. Not to mention that you may risk imprisonment.
In fact, the maximum penalties are an R10 million fine (approx. $677,200) or imprisonment, which may last up to 10 years, or to both a fine and such imprisonment.
For the less severe offences, the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
As much as many claimed that these two laws are basically the same, some major differences stand out from a deeper analysis.
As previously stated in “GDPR and the Shift in Privacy Practises: the Relevance of being Compliant”, the European law only protects living individuals. POPIA, instead, involves companies and organizations as juristic persons too.
Moreover, POPIA focuses on the location of processing data rather than who data subjects are. You don’t need to comply with POPIA if you’re processing the personal information of South African data subjects in Europe and are domiciled in Europe.
As a matter of fact, POPIA is not extraterritorial like the GDPR.