Comparing privacy laws: GDPR v. POPIA
GDPR v. POPIA
OneTrust DataGuidance is pleased to announce the release of the GDPR v. POPIA Report, which compares data protection requirements and recommendations under the GDPR and the Protection of Personal Information Act, 2013.
Download more from the series: Comparing privacy laws: GDPR v. Thai Personal Data Protection Act
Comparing Privacy Laws Report
The Report examines and enables a detailed comparison of the data protection requirements stipulated under these two legislative frameworks. In particular, the Report explores similarities in relation to data subject rights, primary definitions, and material scopes. The Report also highlights key differences, such as POPIA's applicability to juristic persons' data, and nuanced compliance challenges, including the variations in data breach notification requirements under the two laws. While in broad terms both laws take similar approaches to personal data protection, there are several important distinctions in the obligations they impose on organizations.
Watch Now: Regulator Spotlight with Lebogang Stroom-Nzama, Member of the Information Regulator, South Africa
Key takeaways of the report include:
- POPIA has tighter extraterritorial applicability, but a wider concept of who may be considered a data subject
- Both laws provide for generally similar concepts of data controllers and processors
- There are significant differences in regard to children's data, pseudonymization, and rights to erasure and portability
- There are subtle differences in relation to data protection officers, data breach notifications, and enforcement powers
- POPIA substantially commenced on 1 July 2020 with a 12-month transition period for organizations to become compliant