The general data protection regulation (GDPR) is not limited to the European Union alone. Indeed, since it applies to the processing of personal data “whether the processing takes place in the Union or not ” (Article 3), its scope has extraterritorial effects.
In South Africa, the protection of personal data is regulated by the Protection of Personal Information Act (POPIA), and the implementation of the GDPR raises many questions:
– What does the GDPR mean for the POPI Act?
– Is the POPI Act going to be amended?
– Must you comply with both of them?
– And, if you do, does POPIA create any extra compliance requirements on an organisation in addition to what the GDPR requires?
– What happens if there is a conflict between them?
In this article, Lexing South Africa, Michalsons, tries to answer them: