POPI vs GDPR: The legal ramifications

by Lucy Phillips. It is generally accepted that being GDPR compliant will result in POPI compliance, however, there are certain nuances that South African organisations need to be aware of.

by Lucy Phillips. Data protection has recently become a popular topic, and as the world becomes more sensitive to the protection of personal information, and the associated risks in the event of a breach; countries are creating and developing various legislations and protocols to counteract these risks.

One of the most prominent and successful data protection legislation is the European Union General Data Protection Regulation (“GDPR”). Many recall when the GDPR came into effect, that their inboxes were flooded with mails requesting subscribers to agree to new terms and conditions in terms of the GDPR, and accordingly, the GDPR was brought to the forefront of data protection. Locally, the Protection of Personal Information Act (“POPI”) is set to be fully enacted on 1 July 2021, and there are accordingly many questions around its contents and implementation, as well as whether being POPI compliant will result in GDPR compliant.

The basis of both the GDPR and POPI are certain principles for lawful processing, with the GDPR having seven such principles, and POPI having eight. These principles help guide data subjects as well processors as to how to ensure openness and transparency with regards to how and why data is collected and stored; how data subjects can participate in ensuring compliance; and how data breaches are dealt with.

There are substantial similarities between the two pieces of legislation, however, there are also some distinct differences. It is important to understand these differences as your organisation may be required to sign documentation that references either or both of these legislations; with many local organisations that are part of a global group requiring their suppliers and clients to perform Data Protection Impact Assessments in terms of the GDPR. The local Information Regulator has agreed with the European Commission that it will locally enforce any breaches of the GDPR – and therefore local companies should not believe that distance from Europe protects them from liability.

It is generally accepted that being GDPR compliant will result in POPI compliance, however, there are certain nuances that South African organisations need to be aware of. South Africa does not yet have an adequacy decision from the European Commission, which would allow for a free flow of data between South Africa and Europe, deeming South Africa “safe” and having data protection legislation that is equal to the GDPR. It is presumed that once POPI is formally enacted that this adequacy decision will be granted.

Legislative differences

Some of the most pertinent differences between the two pieces of legislation are highlighted below:

Whilst there are some differences between the drafting, application and implementation of the two pieces of legislation; the purpose and intent behind both POPI and the GDPR is inherently the same, namely: the creation of a uniform manner in which the collection, storing and processing of data is regulated to ensure protection for all data subjects.


Lucy Phillips heads up Consilium Legal, after founding the company with Natalie Laurencik in 2012. As a specialised consultancy, Consilium is focused on the commercial aspect of its clients’ businesses, such as commercial, corporate and advisory work. Having previously worked at FNB, where she was Legal Contracts Manager, and as Head of Legal (procurement) at Rand Merchant Bank; Phillips has extensive experience and expertise in staff training and continuing education on data privacy; consumer protection; roles and duties of directors under the Companies Act 2008 and the laws relating to social media.

– Receive the Retailing Africa newsletter every Monday and Thursday • Subscribe here

– Take advantage of Retailing Africa’s ‘Pay-what-you-can’ business support package • Read more