This is the first in a four-part series of articles discussing data breaches, privacy and protection as relating to privacy regulation and the risk of non-compliance as a result of factors such as hacking and liability for employee conduct.
General Data Protection Regulations ("GDPR")
The European Union ("EU") GDPR is a data privacy and protection framework aimed at improving Europe's data privacy laws. The GDPR applies to every organisation in South Africa that process personal data or monitors online activities of EU citizens. A failure to comply with GDPR could result in varying consequences, including a written warning, periodic data protection audits. In other cases, a penalty of 4% of the annual global turnover or €20 million; or a fine up to €10 million or 2% of the organisation's annual turnover maybe imposed.
Regardless of whether South African organisations have physical presence in the EU, they are still obligated to comply with the provisions of the GDPR due to its wide territorial scope. In accordance with Article 3 thereof, the GDPR is applicable where an EU resident's personal data is processed by a South African company in connection with goods or services provided and where South African companies monitor the online behaviour of EU residents as far as their behaviour takes place within the union.
The Protection of Personal Information Act 4 of 2013 ("POPIA")
POPIA gives effect to the Constitutional right to privacy and attempts to balance the right by making provision for the free flow of information in South Africa and outside its borders, and regulating the processing of such personal information. POPIA therefore imposes obligations in respect of the way businesses collect, store and use personal data belonging to individuals such as their employees and customers.
POPIA applies only to the extent that businesses are registered and incorporated within the borders of South Africa. POPIA applies to businesses and organisations in South Africa by virtue of their interaction with South African consumers, and applies specifically where they collect and process personal information. POPIA should be read together with the provisions of the GDPR.
POPIA provides that where there is a failure to comply with lawful processing requirements, the responsible party will bear the ultimate liability. The responsible party should ideally obtain indemnities from the operator/processor for compliance with contractual obligations and data protection laws and to ensure that the operators will be held liable for any risk, harm or loss suffered as a result of the breach of obligations or data protection laws. The operator could be required to reimburse the responsible party for any penalties imposed by the information regulator, or any damages claims that may be bought by data subjects as a result of the data breach.
Differences Between GDPR AND POPIA
A notable difference between the GDPR and POPIA is that the GDPR, in Article 37, provides for the appointment of a Data Protection Officer whereas POPIA provides for this requirement to the extent that it applies to the relevant organisations. Moreover, Article 25 of the GDPR makes provision for privacy by design. By contrast POPI does not make provision for it but regards it as a best practice approach. Article 35 GDPR provides for the obligation to conduct data protection impact assessments whereas POPIA does not provide for such an obligation. Lastly, Article 20 of the GDPR provides for the right of data portability, which gives data subjects the option to request their data to be transferred to another data controller or service provider, whereas POPIA does not provide for such a right.
The next article in this series will highlight steps that employers should follow in order to ensure that they are complying with the relevant laws that safeguard against data breaches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.