Over the last couple of months, I have been receiving numerous e-newsletters and articles about GDPR. The European Union’s General Data Protection Regulation (GDPR) will come into effect on the 25th of May. Organisations are required to place a much stricter focus on data protection.
So how does this compare to our very own POPI, or is it POPIA (Protection of Personal Information Act)? This reminds me of an ex colleague of mine who is Afrikaans and pronounced POPI like poppie, which is an Afrikaans word for “doll”. He was quite a serious individual so it was difficult for me not to giggle every time we spoke about POPI. So, the correct abbreviation as expressed by the Information Regulator, is POPIA which sounds similar to PAIA (Promotion of Access to Information Act).
The core principles of data protection and privacy are common to both laws but many of the aspects of implementation are different eg. The GDPR does not protect legal entities whereas POPIA extends to the personal information of juristic persons and not just individuals, making it more extensive and stringent in this area. The GDPR also deals with the “right to be forgotten” and data portability. The fines are much bigger in GDPR but there is no criminal offence unlike in POPIA.
POPIA should be seen as a stepping stone to GDPR compliance. For organisations that have already taken steps to comply with POPIA and general data protection principles, compliance with the GDPR will not be such a great leap. I’ve tried to find some statistics on the number of SA businesses that are POPIA compliant and the only information I could find was from a year ago. The survey was conducted by ITWeb in collaboration with Backup Storage Facilities and close to 70% of respondents said they were aware that noncompliance could result in a fine or even jail term. However, less than half said they know exactly what the POPI Act requires from their business, with the remainder not knowing or being unsure.
When asked whether their organisation was POPI compliant, only 21% answered ‘yes’, 19% answered ‘no’, and 26% were ‘unsure’, while 35% were ‘in progress of getting their house in order’.
I do hope that the new survey being conducted yields better results. I suspect that many companies are still waiting for the deadline to be announced before they take any action. These same companies see POPIA as a compliance issue and do not take any of the benefits into account.
So, if businesses have not given POPIA a second thought, perhaps the implementation of GDPR might be a wakeup call. The GDPR not only applies to organisations located within the EU, but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU citizens. If a company processes and holds the personal data of citizens belonging to a European Union member state, then it will be required to comply with the GDPR. Non-compliance with the GDPR can result in fines of up to €20-million or 4% of a company’s global turnover, whichever is higher.
I look forward to the day when I answer my cellphone and there is no longer a voice recording on the other end trying to sell me funeral cover or my mailbox being flooded by unsolicited e-mails and when I ask the telemarketers where they obtained my information from, their standard response is “Oh, you must have filled out a form at some stage and gave your consent”. But alas, I may be living in a dream world.