Comparing privacy laws: GDPR v. POPIA
OneTrust DataGuidance is pleased to announce the release of the GDPR v. POPIA Report, which compares data protection requirements and recommendations under the GDPR and the Protection of Personal Information Act, 2013 ('POPIA').
The Report examines and enables a detailed comparison of the data protection requirements stipulated under these two legislative frameworks. In particular, the Report explores similarities in relation to data subject rights, primary definitions, and material scopes. The Report also highlights key differences, such as POPIA's applicability to juristic persons' data, and nuanced compliance challenges, including the variations in data breach notification requirements under the two laws. While in broad terms the GDPR and POPIA take similar approaches to personal data protection, there are several important distinctions in the obligations they impose on organisations.
- POPIA has a tighter extraterritorial applicability, but a wider concept of who may be considered a data subject
- Both laws provide for generally similar concepts of data controllers and processors
- There are significant differences in regard to children's data, pseudonymisation, and rights to erasure and portability
- There are subtle differences in relation to data protection officers, data breach notifications, and enforcement powers
- POPIA substantially commenced on 1 July 2020 with a 12-month transition period for organisations to become compliant