How similar is the South African POPIA to the EU GDPR?

As we know, the European Union General Data Protection Regulation (EU GDPR) came into effect on the 25th of May, in 2018, providing requirements for people and companies living in the EU or dealing with EU countries in order to protect personal data. POPIA, which stands for Protection of Personal Information Act, is South Africa’s Regulation on data protection. POPIA was promulgated in 2013 but went into effect on 30 June 2021.

These regulations contain several similarities in key definitions, for example the conditions under which the processing of data could be considered lawful, data subjects’ rights, and the role of supervising authorities. However, there are also some differences. Let’s highlight how these laws work, taking into account the key definitions and concepts of data protection law, to provide an overview for companies that need to comply with these regulations.

Key differences between EU GDPR and POPIA
  • Appointment of a person responsible for data protection
  • Right to data portability
  • Pseudonymisation
  • Transfer to third countries

Compliance with POPIA

First of all, an organisation, company, or public body needs to be compliant with POPIA if they are based in South Africa or, whether not they are based in the country, if they process personal information in South Africa through the use of automated or non-automated means. Although this regulation was approved in 2013, five years before the EU GDPR, it only went into effect in 2020, giving companies a 12-month period of transition to become compliant (until 30 June 2021).

EU GDPR vs POPIA – A comparison

Many key definitions are quite the same, but there are also some differences. As a comparison, we’ve listed the key concepts and requirements in the table below:

Key concepts EU GDPR POPIA Comments
Territorial Scope It applies to processors or controllers established in the European Union, as well as to processors or controllers not established in EU that offer goods or services to data subjects in the EU. Where the responsible party for processing personal data is located in South Africa, or not located in South Africa but processing personal data of people who live in South Africa. Quite similar, but POPIA does not refer to “offering of goods and services” made by the processors to the data subject.
Definition of personal data The EU GDPR refers to “personal data,” that is, any information relating to an identified or identifiable natural person, such as name, identification number, etc. POPIA refers to “personal information,” meaning any information relating to an identifiable, living, natural person or, where applicable, juristic person. Quite consistent
Definition of processing organisations The EU GDPR refers to these entities as “data controller and data processor.” POPIA talks about “responsible party and operator.” Different terms, but quite consistent with the EU GDPR’s definition.
Data referring to racial, ethnic, religious or philosophical beliefs, political opinion, genetic and biometric data The EU GDPR uses the term “special categories of data.” POPIA uses “special personal information,” but it refers to the same categories of data listed by the EU GDPR. Very consistent
Legal grounds for processing
  • Consent
  • Performance of a contract
  • Compliance with legal obligations
  • Protection of vital interests
  • Reasons of public interest
  • Legitimate interest
  • Consent
  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interest of the data subject
  • Performance of a public law duty
  • Legitimate interests of the responsible party
Quite consistent
Data subject’s rights
  • to access
  • of rectification
  • to erasure
  • to restriction
  • to data portability
  • to object
  • not to be subject to processing based on automated means, including profiling
  • to access
  • to have data corrected, destroyed, or deleted
  • to be informed about how data is collected
  • to object
  • not to have data processed by means of automated decision
Differently from the EU GDPR, POPIA does not provide the data subject with the right to data portability (the right of the individual to receive his or her data in a structured and machine-readable format so that the data could be moved among different applications, IT environments, platforms, or programs in a secure way).
Person responsible for data protection Data Protection Officer POPIA refers to the designation of an “Information Officer,” providing this role with duties and responsibilities. POPIA describes roles and responsibilities, but not in as detailed a way as the EU GDPR.
An assessment on risks regarding data protection A DPIA, Data Protection Impact Assessment, must be conducted in some cases POPIA does not requires a DPIA. Very different
Data transfer Personal data can be transferred only in the case of binding corporate rules, standard data protection clauses, or codes of conduct, which provide an adequate level of protection. Personal information can be transferred cross-border only in the case of a federal law, binding corporate rules, or binding agreement providing an adequate level of protection. POPIA does not refer to international agreements or registers of cross-border transfers. Quite different
Data breach notification In the case of a data breach, the EU GDPR requires controllers to inform the supervisory authority no later than 72 hours after becoming aware of the breach. The controllers must communicate the data breach to data subjects when risks to the rights and freedoms of the data subjects are likely to occur. POPIA does not requires a specific timeframe for breach notifications. In the case of security compromises, the responsible party is required to inform the regulator as soon as is reasonably possible. The data subjects must be notified of the security compromise, too, unless the identities of the data subjects cannot be established or if an authorised public body or the regulator determines that notification will impede a criminal investigation. Quite similar, but with different timeframes for data breach notification.
Fines, penalties, or possible imprisonment In the case of less severe infringements, up to € 10 million or, if the controller is a company, up to 2% of the annual turnover. In the case of more severe infringements, up to € 20 million or, if the controller is a company, up to 4% of the annual turnover. POPIA does not make distinctions in infringements. It only establishes a fine maximum of ZAR 10 million (approx. € 600,000) to be paid no later than 30 days from the notification. Different fines, and no distinctions in infringements in POPIA.
How similar is the South African POPIA to the EU GDPR? - Advisera

EU GDPR vs POPIA – Similarities and differences

If we look at the table above, we can see that the EU GDPR and POPIA contain many similar concepts regarding the protection of personal data:

  • People processing data, identified as “controllers and processors” by the EU GDPR and “responsible parties and operators” by POPIA, are required to process data on the basis of similar legal grounds (consent, legitimate interest, etc.).
  • Data subjects can exercise specific rights in relation to the processing of their data (some of them under certain circumstances).
  • Fines are issued in both regulations if a controller/responsible party infringes on one or more EU GDPR or POPIA requirements.


GDPR vs. POPIA: Comparison of main similarities and differences

On the other side, let’s see which parts make the EU GDPR and POPIA different:

Appointment of a person responsible for data protection. The EU GDPR requires organisations to appoint a person as a DPO, or Data Protection Officer, under certain circumstances (e.g.: if the controller is a public authority). This person is responsible for compliance with the European Regulation and is the single point of contact for data subjects to exercise their rights; he or she can be outsourced and is required to have expertise in data protection laws. On the contrary, POPIA requires an information officer to be designated to perform duties and responsibilities regarding data protection; however, if this designation is not provided, the information officer is automatically and in any circumstances the head of the organisation. Moreover, no specific knowledge of privacy frameworks or law is required.

Right to data portability: The GDPR provides a data subject with the right to have his or her personal data in a “structured, commonly used and machine-readable format” and transmitted from one controller to the other when the processing is over. On the contrary, POPIA does not refer to such a right.

Pseudonymisation: in the EU GDPR, pseudonymisation represents a means to process personal data in a way in which it is not possible to identify specific personal data without additional information. POPIA does not refer to pseudonymisation, but to “de-identification,” which, according to POPIA, is the act of deleting personal information that could refer or be linked to a data subject, and to “re-identification,” meaning to resurrect any information that has been de-identified.

Transfer to third countries: Although both the EU GDPR and POPIA place restrictions on cross-border transfers of personal data, and they both outline that binding corporate rules may be used to allow these transfers, POPIA does not refer to standard contractual clauses or codes of conduct as the EU GDPR does.

EU GDPR vs POPIA – The same way to look at data protection

Every country in the world writes its own laws according to the historic facts, customs, and traditions of the people living and working in the nation. Certainly, there are differences in the way that the EU GDPR and POPIA apply and require compliance, but we even more certainly acknowledge the same root as the origin for both: protecting people’s privacy, while ensuring that private data is protected from theft, unauthorised access, or abuse. Europe and South Africa are perhaps far from each other from a geographical or historic point of view, but they are quite close in the way they consider and enhance their citizens’ right to privacy of personal data.

To learn more about which documents you need to create to comply with the GDPR, download this free Checklist of Mandatory Documentation Required by EU GDPR

Advisera Francesca Lucarini

Francesca Lucarini

Francesca Lucarini is a cybersecurity advisor, ISO 27001 qualified auditor, and expert in communicating GDPR and information security themes, as well as the suggestion of tools to help people and companies increase their awareness of the risks that can occur with the use of technology.
Read more articles by Francesca Lucarini