Two words are prominent in the South African business market today – GDPR and POPI Act. There have been several recent amendments and updates in both. It is crucial for businesses in South Africa to understand what they stand for and why it is vital to comply with them.


GDPR and POPI Act might seem tricky, but they really aren’t. Here is everything you need to know about the GDPR South Africa has enforced.


GDPR Definition


GDPR stands for General Data Protection Regulation. It is a regulation in the EU (European Union) Law that aims to protect the data and privacy of individuals in both the European Union and the European Economic Area. One of the most revolutionary changes in data regulation in the last 20 years, it aims to reshape the way data is handled across all economic sectors.


GDPR is similar to the POPI (Protection of Personal Information) Act of South Africa. However, in many terms, they both aren’t mutually exhaustive. GDPR governs the collection, usage, and storage of private information that can identify an individual and makes businesses accountable for the same. The personal data that comes under GDPR includes but is not limited to names, addresses, government-issued ID numbers, IP addresses, consumer behaviors, consumer preferences, genetic data, biometric data, etc.


One might ask: why should a business in South Africa worry about a data protection regulation in the European Union? Well, here is the twist. If you have a company in South Africa that either does business with European customers or monitors their consumer behaviors, you need to comply with GDPR. Why? Because your business is dependent on consumers residing in the European Union.


GDPR Compliance


Data breaches are not new in this world. Every now and then, data gets lost, hacked, or intentionally sold to a third party vendor. To ensure and restrict such occurrences, GDPR Compliance was put into place.


GDPR Compliance requires concerned professionals (like a CIO) in businesses to ensure that the personal data they have gathered is done so legally and under strict conditions.


Their responsibility does not end there. They also need to make sure that personal data stays safe and secure with them. Firms are required to protect it from misuse and exploitation. They also need to make sure that they comply with the terms under which it was collected and deny access to unauthorized third-party vendors. Failure to do so will result in hefty fines.


The standard penalty levied on organizations in the case of non-compliance is a whopping 4% of their annual global turnover. Disciplinary action under the POPI Act includes R10 million and a possible jail sentence of up to ten years. The reason why the monetary fine is higher under GDPR is that their regulations and compliance rules are much stricter and demanding than South Africa’s POPI Act.


GDPR Requirement


GDPR cannot be applied to your South African business if its website is accessible to the citizens of the European Union and European Economic Area. The application of a GDPR requirement is also limited and varied for different data handlers. The EU identifies two types of data handlers under GDPR – controllers and processors.


A data controller determines the purpose and means of personal data processing. A data processor, on the other hand, processes personal data on behalf of the controller. Whichever party is responsible for a breach is subject to stricter legal liability.


For GDPR to regulate your business, you must demonstrate a clear intent of selling your product or services to residents of the European Union and the European Economic Area. So if your business is in South Africa, indicators of this intent can be determined as follows –


  • If your business uses an European language to market your product or service.
  • If your business allows monetary transactions to take place using European currencies.
  • If your business mentions customers or users in the European Union and European Economic Area.
  • If your business allows ordering products and services and receiving invoices in any European language.




In addition to the EU’s GDPR, South Africa has its own data privacy regulation act called POPI (Protection of Personal Information) Act. The POPI Act has eight conditions or minimum thresholds that need to be followed. These include accountability, purpose specification, processing limitation, further processing limitation, information quality, openness, security safeguards, and data subjects participation.


While GDPR and POPI Act might sound the same and are, in fact, similar in many cases, they do have stark differences between them. GDPR applies to all businesses in the EU or EEA and those with consumers in these geographical areas. However, the POPI Act is applied to personal information processed within the South African borders.


Unlike GDPR that concerns living persons, the POPI Act also pertains to the information of companies, corporate institutions, and other such entities. While the scope of application of the POPI Act is more extensive in terms of the types of entities, the fine for GDPR non-compliance is higher.


GDPR requires only specific types of organizations to appoint a Data Protection Officer or DPO. This requirement depends on the size of the company, its processing capability, and other such factors. However, under the POPI Act, all South African businesses are required to appoint a DATA Protection Officer regardless.



Here’s also Understanding Google’s Updated Search Quality Raters Guidelines.