The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law. In terms of its overall intention the regulation is similar to the EU’s General Data Protection Regulation (GDPR), but is unlike the GDPR in terms of where the data processing takes place.
POPIA also applies to personal information collected not only about living persons but about businesses, trusts, body corporates and other similar kinds of organisations whereas the GDPR applies only to living persons.
Most organisations (this includes businesses, websites and legal entities) in South Africa need to comply with POPIA, but not all. So which of them need to comply?
To make reading easier, we’ll refer to organisations – including businesses, websites and legal entities – in this blog as “you”.
Location of processing vs location of data subject
POPIA has more to do with where you process personal data than where or who your data subject is. This is different to the GDPR, which says you must comply if you process personal information belonging to data subjects in the EU even if you’re not located in the EU.
You must comply with POPIA if:
- You’re located in South Africa.
- You’re located outside of South Africa, but process personal information in South Africa.
So to work out if you need to comply or not, you can ask:
- Is your company registered in South Africa?
- Are your computers or servers in South Africa?
If you answer yes to either of these questions, you’ll need to get going with mapping your data, and working out how you can amend your systems to become compliant.
Generally speaking you don’t need to comply if:
- You’re not based in South Africa
- None of your processing equipment is in South Africa
There are some instances where POPIA obviously doesn’t apply, such as if the data subject is deceased, and others where you can apply for at least a partial exemption.
Gaining exception from POPIA
Very few organisations will be granted an exemption from POPIA. However, if you meet certain requirements, you can apply to the POPIA Regulator for an exemption to perhaps some of the processing conditions. To qualify for an exemption, you need to show that your processing is, amongst other examples:
- in the interests of national security or the prevention, detection and prosecution of offences,
- fostering compliance with other legal provisions,
- important for the economic and financial interests of a public body,
- for historical, statistical or research purposes,
- of special importance in terms of freedom of expression.
OR, you need to show that you processing is of definite benefit to the data subject and outweighs any interference with their privacy.
Journalists are in an interesting category and there are specific rules that apply to them. As a journalist, you can collect, process or share personal data for journalistic purposes. However, if as a journalist you process information for non-journalistic purposes, then you are subject to POPIA.
If you don’t want to comply with POPIA, you could move out of SA and process the personal information from another country.
If you need help working out whether you need to comply, and how, we can help.