Legal updates and opinions
News / News
Business must protect the data of all South Africans
If your business has met all the requirements of European data privacy regulations, do you then also comply with South Africa’s Protection of Personal Information Act (POPIA)?
Not necessarily.
Although the General Data Protection Regulation (GDPR) and POPIA share many similar requirements, there are some differences.
The GDPR applies to companies in the European Union (EU), as well as organisations outside the EU that offer goods or services or process personal data of EU citizens. POPIA promotes the constitutional right to privacy of South African individuals and companies by safeguarding the personal information of natural persons and identifiable juristic persons.
Many South African companies with cross-border operations have to be GDPR compliant.
But these companies need to consider the particular nuances of South African society when complying with local data privacy legislation. The main consideration is whether the way in which you are processing personal information is in line with public interest.
So what should companies do?
First and most important, companies need to clearly understand their customers. Think about education levels, literacy, access to technology and geographical location, among others.
Armed with a deep understanding of their customers, companies must then communicate about the use of personal information in a way that is easily understandable to their audience.
The onus to communicate clearly to customers will be higher when complying with POPIA than GDPR given the differences in education levels and sophistication of South African consumers compared to Europeans. South Africa is not only one of the most unequal countries in the world, its education levels also vary considerably across the population. Also, consider that the average person in the European Union is expected to undertake 17.6 years of education over their lifetime (Statista.com). In South Africa the average is 13,5 years (UN Development Programme).
South African companies need to put a lot of thought into making sure they really understand their customers. They need to use plain language in their communications. Should they wish to rely on consent when processing personal information, they will be required to demonstrate that they obtained proper informed consent from a customer. That customer must fully understand that their personal information is being collected and processed and for what purpose. Everyone in society has the exact same right to the privacy of information. Companies need to start thinking about whether their data protection processes cater for the nuances of South African society.
Latest News
Mind the Conduct: A Guide to COFI – Part 5: Governance and Accountability
by Hilah Laskov, Director Introduction In this article series, we take a deep dive into the South African Conduct of [...]
Misuse of the business rescue process – failure before it begins
by Dr. Eric Levenstein, Director and Head of Insolvency & Business Rescue and Amy Mackechnie, Senior Associate Business rescue was introduced [...]
Constitutional Court clarifies rights of innocent contractors under invalid state contracts
by Sarah Moerane, Director and Kuhle Joja, Associate In Minister of Defence and Military Veterans v Zeal Health Innovations (Pty) [...]
Untangling the mischief of section 43 of the Electronic Communications Act: A missed opportunity in the Amendment Bill
by Corlett Manaka, Director and Head of Disputes, Akhona Bilatyi, Director and Koketso Rapoo, Senior Associate On 12 March 2026, [...]
A charge by any other name would smell as sweet
by Bradley Workman-Davies, Director The Labour Appeal Court's judgment in Machi v Chep SA (Pty) Ltd and Others serves as [...]
When a misdirected email becomes a data breach: The Information Regulator issues an enforcement notice on internal and accidental security compromises
by Armand Swart, Director, Hlonelwa Lutuli, Associate and Isabella Keeves, Candidate Attorney On 22 May 2026, South Africa’s Information Regulator [...]
