While setting up your PoPIA compliance strategies, you should be paying attention to some of the principles set out by the General Data Protection Regulations (GDPR) in order to anticipate potential revisions to PoPIA before it’s signed into law.
PoPIA was enacted way back in 2013. We are still waiting for it to become enforceable, with deadlines for compliance being delayed. The problem is that data protection laws have evolved far beyond from what they were six years ago. By the time the legislation becomes enforceable, it is possible that the legislation could come with numerous tweaks and amendments.
The question, therefore, is whether there’s a way for you to streamline the protective operational structures you’re currently creating to pre-empt the several anticipated changes to PoPIA. And can you do so while still remaining within the boundaries of the existing legislation? This is where Europe’s GDPR can prove useful for your business. GDPR was adopted by EU parliament in 2016 and the deadline for compliance was May 2018.
So why use GDPR as a benchmark for your compliance strategy? There are over 100 countries around the world with their own data protection laws. Why not use the USA’s various data protection laws and regulations, or India’s? Firstly, because the collaborative checks and balances from 28 European nations’ lawmakers secure the integrity of the GDPR principles and, secondly, because it is revered around the world as a benchmark for data privacy regulations, due to its detailed transparency requirements. South African authorities are therefore likely to use the GDPR as a reference point for any revisions to PoPIA that need to be made. Data collection has evolved over the last six years and nobody has done a better job of writing, passing and enforcing various laws than the EU. And if that isn’t reason enough, bear in mind that to collect any information from customers or clients based in the EU, you will need to be GDPR compliant anyway.
The next question is about what will change. Being GDPR compliant, in addition to being PoPIA compliant, does not come at the cost of being PoPIA compliant. It’s less a case of transitioning from one to the other than it is a case of making very small changes. Your interpretation and implementation of GDPR is unlikely to change when PoPIA legislation becomes enforceable.
Several of the general principles that we’ve addressed in PoPIA, such as appointing someone to take accountability for your organisation, collecting as little data as possible and only for a specific reason, while acquiring consent from an informed data subject and having response plans, are present in the GDPR, but may be worded slightly differently or refer to other European laws. The difference between GDPR and PoPIA are somewhat nuanced, and making a plan to accommodate those nuanced differences won’t necessarily be difficult for you or your employees. It’s just a case of going the extra mile. They are very much two variations of the same thing and, especially considering that Europe is one of South Africa’s biggest trade partners, PoPIA will need to be brought in line with the GDPR.
Some of the differences are merely language, such as PoPIA’s referral to controllers and responsible parties as Information Officers, while GDPR refers to them as Data Protection Officers. However, one of the key differences is that the GDPR exempts some SMEs from having to keep records. It also doesn’t require some organisations to appoint a data protection officer, based on particular conditions, while PoPIA requires every single organisation to do so.
Furthermore, the GDPR outlines a principle referred to as “the right to be forgotten”, which is specifically said to be likely to be included in any PoPIA revisions. This refers to a data subject’s right to have data removed from an organisation’s data banks after the expiration of data over particular period of time. Personal data must be erased immediately where the data is no longer needed for its original processing purpose, or the data subject has withdrawn their consent and there is no other legal ground for processing. If the data subject has objected and there are no overriding legitimate grounds for the processing, erasure is required to fulfil a statutory obligation.
So there are many things to consider. Firstly, if you want to do business in or with people in the EU, you have to be GDPR compliant. Secondly, it opens other international business opportunities; because many countries around the world consider GDPR requirements to be the best and will rest assured knowing that you have implemented the principles of the GDPR. Thirdly, you get a head start in South Africa, while we wait for PoPIA to come into effect. All good reasons to pay close attention to the GDPR requirements.
If you’d like to know more about setting up your own PoPIA compliance strategies, please get it touch. We have proven processes to assist you.