Comply with South Africa’s Protection of Personal Information Act
The South African population recently gained rights over their personal information. Enforcement of South Africa’s Protection of Personal Information Act (POPIA) began on July 1, 2021, and the law was modeled closely after the European Union’s GDPR. It’s been a long-time coming, as variations of this law have been in the works for almost 20 years.
POPIA creates a broad definition of personal information for comprehensive end-user protection and results in the formation of the information regulator as lead enforcer and supervisor of the law. South Africa joins just a handful of other entities as leaders in the movement to protect citizens’ personal information.
An Overview of POPIA
POPIA applies to any business or organization that processes personal information in South Africa, whether they have a physical location there or not. Transfers of personal information outside of South Africa are prohibited (with few exceptions), and fines for non-compliance can range up to 10 million ZAR.
South African data subjects are given nine actionable rights:
- The right to be notified about the collection and processing of personal information
- The right to access personal information
- The right to request correction
- The right to request deletion
- The right to object to the processing
- The right to not have personal information processed for purposes of direct marketing by means of unsolicited electronic communications
- The right to not be subject to a decision that results in legal circumstances based solely on automated processing
- The right to complain to the Information Regulator
- The right to an effective judicial remedy
The responsibility is on the data processing organization to prove that their practices are lawful and that the appropriate consents have been obtained from the users. This arrangement is meant to elevate the rights of the data subject.
When POPIA Applies
The scope of POPIA is more restricted than Europe’s GDPR, which applies to anyone who processes personal data from the EU, no matter where they are located. With POPIA, it applies to anyone who processes personal information by a responsible party, located in or outside of South Africa, only if they have the means to process this data in South Africa.
In other words, if your organization is located within South Africa, and publishes personal information you must comply with POPIA. If your organization is outside of South Africa but processes personal information on residents located in South Africa, you must still comply.
What Are the Differences Between POPIA and GDPR?
While POPIA was modeled after the E.U’s GDPR, there are several key differences to note between the two privacy regulation laws.
Below are a few:
- The GDPR’s function is limited to the protection of living individuals. POPIA protects individuals, as well as companies and organizations that may have their data processed.
- The GDPR protects the processing of personal data from inside the EU no matter where the data controller or processor is located. POPIA is structured so that it only applies to companies or organizations located in South Africa, with the exception of the automated processing that is done by ad tech and social media companies.
- The POPIA legislation simply refers to the responsible party, when it comes to data processing. GDPR refers to the data processor, which could be the person processing the data on behalf of the data controller.
- All organizations that must comply with POPIA need to appoint an information officer and a deputy information officer. Under the GDPR, it’s a data protection officer, and the responsibilities may differ.
- Both sets of regulations talk about personal data and special personal data (sensitive data in the GDPR). But POPIA assigns criminal offenses to special personal data.
Personal Information and Data Subjects
The definitions of personal information are similar between POPIA and the GDPR. Under POPIA, it is information relating to an identifiable, living, and natural person. One distinction between the two is that POPIA includes companies, organizations, or other legal entities in its definition of data subjects. In Europe, data subjects are limited to individuals.
In other words, under POPIA, businesses have certain rights that they don’t enjoy under European standards. The full ramifications of this distinction will become apparent as we see how it is enforced.
CookieScript, and POPIA Compliance
Websites that have been around for any length of time tend to accumulate cookies and trackers. While organizations are responsible for compliance with privacy regulations, they may not be aware that their website has these trackers in place, especially because some are third-party. This can jeopardize an organization’s compliance with the privacy regulations they are responsible for adhering to.
The role of CookieScript is to detect these cookies and trackers, while placing the end-user in control of the privacy experience, by allowing them granular levels of consent over these trackers. CookieScript operates in full compliance with all major international privacy regulations, including:
- The GDPR (EU)
- CCPA (California)
- LGPD (Brazil)
- POPIA (South Africa)
CookieScript detects and activates all cookies, trackers, or trojan horses associated with your website domain so that you can comply with all necessary privacy regulations. From that point, you can create customizable consent banners to allow your users to determine their own level of tracking consent.
Using CookieScript to Maintain Compliance with Major Privacy Regulations
More and more governments are establishing important privacy regulations to better protect their residents. It’s critical for companies and organizations located in these regions, or that do business within these regions, to maintain a strict level of compliance. CookieScript can help in this process by allowing end-users to customize their own experience, and consent to any website tracking at an individual level.