GDPR first, POPI second: law expert
South African businesses processing the data of European Union (EU) subjects will have to comply with new EU General Data Protection Regulation (GDPR), as well as with the Protection of Personal Information Act (POPI).
Speaking at the ITWeb Security Summit 2017 this week, Lisa Emma-Iwuoha, an attorney at law firm Michalsons, said South African companies that process any EU data should take notice of the variances between the two laws and try to find the middle ground.
"GDPR is set to become the standard benchmark for data protection," she said. "A company might not actually have presence in Europe, but if it processes any data of EU citizens, then it will have to take into account the GDPR. It might even be more important for that company than POPI."
The GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU. The regulation was adopted in April 2016 and will fully apply as of 25 May 2018 after a two-year transition period.
"For those who have already done much to comply with POPI, it's good news. You won't need to start again, although you will need to tweak what you have been doing. In some cases, the GDPR will even help you by providing answers," said Emma-Iwuoha.
She added that companies should be careful not to assume that being compliant with the GDPR means you're sufficiently compliant with POPI. "The laws have general terms that will be the same, but it's the slight nuances with each that companies need to pay attention to and comply with," she said.
The POPI Act was signed by the president on 19 November 2013 and published in the Government Gazette on 26 November 2013. A commencement date is yet to be announced.
- ITWeb's POPI Update 2017 event is scheduled for 30 May, in Sunninghill, Sandton.