How multinational firms operating in South Africa can comply with the country's privacy laws

South Africa

International companies with head offices outside South Africa but having a presence in the country need to comply with the Protection of Personal Information Act (POPIA). The Act officially came into full effect in July 2021 requiring both local and international companies and corporations operating in the country to abide by the rules set out in the Act and regulated by the Information Regulator.

Some multinational businesses are grappling with understanding how to be compliant with the Act, especially since they may already fall under the General Data Protection Regulation (GDPR).

Whilst the GDPR and POPIA may be similar, they are still two distinctive and separate pieces of legislation with subtle differences that need serious consideration for the purposes of compliance.

About POPIA

POPIA is South Africa’s data protection law. Its main purpose is to protect people from harm by protecting their personal information. It is geared to prevent South Africans from becoming victims of cybercrime, identity theft, and generally to protect their privacy, which is a fundamental human right.

How the Act is enforced

POPIA contains certain requirements that companies operating within the country need to adhere to in terms of handling and processing personal information within and across the country’s borders. If the Information Regulator finds a person guilty of non-compliance or of being in contravention of the Act, this may result in:

  • A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
  • Paying compensation to data subjects for the damage they have suffered.

What companies need to do to be compliant with POPIA

It is important for multinationals then to ensure that their data privacy compliance programme is tailored to apply the requirements of the Act. To comply, international companies are encouraged to implement a meaningful compliance programme that also complies with POPIA even though their head office, for example, already complies with a law such as GDPR.

The local personnel (and international if they regularly deal with data processed in South Africa) need to be trained to understand the local Act, the level of information processed in the local office, and the appropriate way of handling the cross-border flow of information from here.

POPIA allows for the transfer of personal information processed in South Africa to another jurisdiction so long as legislation providing similar protections to personal information as POPIA is applied in the other country. If a similar law does not exist, the party receiving the personal information in the other jurisdiction must agree to treat the information with similar protection before it can be shared.

Additionally, companies are required to register their respective Information Officer’s (also known as the Data Protection Officer in the GDPR) with the Information Regulator of South Africa as part of the company’s compliance with the POPIA.

Lastly, all businesses operating in South Africa are required to have a Promotion of Access to Information Manual in terms of the Promotion of Access to Information Act which is a sister act to POPIA.