How does the GDPR and POPI affect your business?

The GDPR is the new data privacy law for all members of the European Union (“EU”) and it stands for the General Data Protection Regulation. In standard terms, it is the equivalent of the South African Protection of Personal Information legislation (“POPI”).

So how can a privacy law for the EU affect your business situated in South Africa? The GDPR goes into effect on 25 May 2018 and applies to organizations based in the EU itself, but also applies to anyone who engages in business with – or transfers any data to – or processes any data from a member of the EU. The GDPR provides a set of requirements that must be met in order to protect the privacy and confidentiality of personal information, and it aims to also protect the processing procedures of such personal information. For example, it will regulate how an employer processes and protects all salary information of its current and past employees. The GDPR provides high consequences for non-compliance with its regulations. According to the legislation, if found guilty of non-compliance it can result in a penalty of up to €20 million.

In comparison to the above is the South African POPI, which has been brought into legislation but has yet to receive an effective date. As soon as an effective date is confirmed, the legislation provides for a grace period to allow all South Africans (dealing with the personal information of any other South African) to put the necessary processes and policies in place in order to comply with the regulations. The POPI will also regulate how data can be obtained, stored, processed and destroyed. The consequences for non-compliance with POPI differs to its international counterpart in that it will result in a penalty of R10 million and/or 10 years imprisonment.

To ensure compliance with both these data policies, it is highly recommended that all South Africans conduct the necessary due diligence to determine whether any adherence is required with both the international GDPR and the local upcoming POPI. Should it be required, the necessary steps should be taken to audit all current processes and procedures to determine if it aligns to the requirements, and to put the necessary measures in place before the deadline. Those that will have the highest impact are businesses that are data rich (i.e. contains both personal information of their clients and of the staff they employ), for example:

· Banks

· Accountants/Bookkeepers

· Estate Agents

· Recruitment Agencies

· Any Business providing credit

· Cellphone Service Providers

· Lawyers/Advocates

· And many more…

But please note that POPI specifically will apply to all whom process, regardless of whether it is only the personal information of one single individual. Should you require any further information, guidance or assistance with the above, please contact us on


2 views0 comments