POPIA entering into force: it’s time for Africa
In 2013, South Africa first passed the region’s most promising data privacy legislation, the Protection of Personal Information Act (POPIA). The law includes specific guidelines regarding consent, security, corporate responsibility, and more. Some of POPIA’s provisions went into effect last year, and in July 2021, the law is finally coming into full force.
For those interested in diving into the details of POPIA, here’s what it means for local consumers and businesses, how the new-old law compares to the famous GDPR, and what Mine’s original data can teach us about data privacy in South Africa.
What is POPIA?
In addition to what is possibly the cutest name for a data privacy law, POPIA also includes eight information protection principles for lawful data processing:
- Accountability: This principle demands that we define who the responsible party is within the organization and assign the responsibility for all POPIA compliance to that specific individual.
- Processing limitation: The general requirement here is that all data will be processed in a fair and lawful manner based on consent. This principle is focused on how the data was obtained, the user’s awareness, third-party involvement, excessive information gathering, and more.
- Purpose specification: The law demands that information will only be gathered for specific, clear, predefined purposes. These goals must be communicated to users throughout the process, and the collection procedure’s scope should be limited.
- Further processing limitation: If the processing of data has any secondary purposes, these must be directly tied to the original purpose that was first communicated to users. In other words, reusing data for different goals without consent is forbidden.
- Information quality: This principle defined the responsibility to try and keep all collected information as updated and complete as possible. Specific measures should be taken to ensure that, and users should be given tools to update their own data as well as withdraw consent.
- Openness: The responsible party should maintain a high level of transparency and let data subjects know how their data is handled before receiving consent. Businesses must present evidence for consent and for informing users of their data privacy rights.
- Security safeguards: The data collected from customers should be protected, and companies need to present the procedures that identify users, prevent unauthorized access, alert users on breaches, and more.
- Data subject participation: Customers can approach the company at any given moment to receive information regarding their personal data. They should be granted access and have a simple path towards consent withdrawal.
The meaning of POPIA in a nutshell
POPIA’s principles are meant to cover a wide range of data privacy concerns that include security breaches, identity and data theft, user discrimination, violation of consent, children’s privacy rights, and more.
The law grants South Africans new data privacy rights such as the right to access, correction, erasure, and more. Like other data privacy laws, its revolutionary force is in establishing these rights and defining data privacy as a protectable asset that belongs to the people.
POPIA draws inspiration from existing laws like the GDPR, which we’ll discuss shortly. It offers South African citizens enforceable protection, and businesses violating it may face severe fines of up to 10 million South African rands. The law applies to every company or organization that’s located in South Africa and processes information in the country.
What Mine’s data shows
Our platform enables users worldwide to manage their data independently, teaching us a few valuable lessons of data privacy in various locations. Here’s what we’ve learned about internet users in South Africa:
We look forward to seeing the data privacy revolution continue in South Africa and elsewhere. Meanwhile, we encourage internet users worldwide to take action right now instead of waiting for new laws to come into force. Visit your Mine account and take ownership of your data. It’s yours to take and manage.
POPIA vs. GDPR
While the GDPR inspired many of the terms and rights included in POPIA, including the definition of ‘personal information and ‘processing,’ there are also a few key differences between these two laws. POPIA protects only the data processed by companies located in South Africa. The GDPR, however, applies to companies processing data in the EU, even if they are located elsewhere.
The roles and responsibilities assigned by POPIA are also different. The law doesn’t include a data processor or controller and instead defined the extended role of an Information Officer. POPIA also doesn’t refer specifically to vulnerable personas but does include a definition for children, which is missing from the GDPR. As we can see, the laws share a similar base but turn in different directions on many occasions.