PoPIA – Why South African firms should care about GDPR

The European Union’s Global Data Protection Regulation comes in to effect in just over two months.

Given that this is European legislation, why should South African businesses care?

The obvious answer – GDPR applies to any business that deals with the personal  data of EU citizens. This may mean you – even if your business is confined to South Africa.

The less obvious answer?

The South African Protection of Personal Information Act (PoPIA) draws heavily on the GDPR legislation.

There are some key differences – most obviously, PoPIA is South African law, while GDPR is promulgated in the EU.

GDPR protects the rights of individuals, whilst PoPIA extends these rights to legal entities such as businesses and trusts.

Yet, at their core the two have many common elements and requirements.

Both require a shift in culture to recognize that data privacy is being treated as a human rights issue.

Organisations must both adapt existing data policies to meet requirements and must define the organisational structures necessary to ensure accountability for the misuse of personal data.

These are data governance challenges.

A year before the May 2018 deadline, a Collibra and Compliance Week GDPR survey showed that the vast majority of companies surveyed were not ready for GDPR – and that around 50% can be expected to miss the May 2018 deadline.

The lesson for South African companies is clear!

12 months is not enough time to achieve PoPIA / GDPR compliance.

The survey points to several best practices for achieving and maintaining GDPR compliance that are equally relevant to PoPIA

  1. Cover all four pillars: People, Process, Technology, and DAta
  2. Use a top down approach to ensure results can be sustained
    1. GDPR / PoPIA are principle based
    2. GDPR / PoPIA are about the responsible use of data
    3. People use data, through processes that are enabled by technology
  3. Involve everyone: Data privacy regulations need board-level sponsorship and coordination, and joint leadership from legal, IT, HR and other business stakeholders

GDPR and PoPIA require organisations to create a new frameworks that defines how they will manage and use personal data.

Starting with data governance principles and approaches is the sensible way to ensure that your framework is both acievaable and sustainable

It is too late for those companies that have not acted timeously to meet the GDPR deadline at end of May.

Hopefully we can avoid the same problem with PoPIA

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.