top of page

Data Protection Regulations – Understanding GDPR & POPI

We all know the intrusive feeling of those irritating and unwanted emails, texts and phone calls that plague us – seemingly daily, from companies that have somehow acquired our personal and private information.

Here’s what you need to know about Data Protection and the new regulations that have come into play…

As consumers, we don’t realise how much information is revealed about us while using the Internet, or fully appreciate how in previous years data and information about us was “taken”, shared and used without our permission, or what the full implications of an automatically ticked “yes” box was. Besides being extremely annoying, the use and abuse of our data and information has the potential to be very dangerous and damaging to ourselves and our businesses. Fortunately, two important acts/regulations have finally come into effect in 2018 which we should familiarise ourselves with – GDPR and POPI.

What is POPI? POPI is the South African Protection of Personal Information Act; a piece of legislation designed to protect any personal information which is processed by both private and public bodies (including government). Some exceptions exist, but every organisation who collects, stores and otherwise modifies or uses information (i.e. processes information) is responsible under POPI and must comply with the conditions required for the lawful processing of personal information.

What is GDPR? The General Data Protection Regulation (GDPR) is the European Union’s data protection legislation. It applies to organisations located within the EU and organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. In most respects it is similar to the Protection of Personal Information Act (POPIA), however it does not apply to juristic persons – a bearer of rights and duties that is not a natural person but which is given legal personality by the law. A juristic person is a company or firm for example.

Before GDPR started to be enforced, the previous data protection rules across Europe were first created during the 1990s and had struggled to keep pace with rapid technological changes. GDPR alters how businesses and public sector organisations can handle the information of their customers. It also boosts the rights of individuals and gives them more control over their information.

Elizabeth Denham, the UK’s Information Commissioner, who is in charge of data protection enforcement, says GDPR brings in big changes but has warned they don’t change everything. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. For businesses which were already complying with pre-GDPR rules the new regulation should be a “step change,” Denham says.

The noticeable difference Consumers will start to see a difference in the way that organisations communicate with them about data use and private information. This will affect the length of consent statements and privacy policies. While marketing consent does not need to be explicit, it does need to be unambiguous. Transparency is required and clear and plain language will be needed. Consent will need to be obtained by a “clear affirmative action” and “Silence, pre-ticked boxes or inactivity” will not count. Consumers cannot be forced to give consent for further use of data when signing up to a service.

Don’t be fooled by the GDPR law emanating from the European Union. A company being based in the US, India or elsewhere won’t save it from the (rather hefty) penalties that the EU has promised to impose should a brand fall short of compliance when dealing with EU citizen data.

Of particular note is the current class-action case against Facebook who faces a £500,000 fine for breaking data protection laws following a wide-ranging investigation into the Cambridge Analytica scandal by the UK’s data regulator. The incident took place before the EU’s GDPR came into force on 25 May 2018, meaning Facebook will not face a multi-million dollar fine. The 1998 Data Protection Act, which the investigation revolves around, only allows a maximum fine of £500,000. The investigation centres on a personality test app developed by Aleksandr Kogan for Cambridge Analytica. The app was used to scrape the personal data of up to 87 million Facebook users who had their data exposed by Facebook to the political consulting firm who worked on the Donald Trump campaign.

Basically, the GDPR is designed to help customers gain a greater level of control over their data, while offering more transparency throughout the data collection and use process. These new laws will help to bring existing laws up to par with the connected digital age we live in. Since data collection is such a normal and integral aspect of our lives both on a personal and business level it helps to set the standard for data-related laws moving forward. GDPR is a regulation that you’ll want to take seriously. Below we dive into what this regulation is, the demands of the legislation and how it could impact your day-to-day business.

GDPR Requirements: How To Be GDPR Compliant

1. Obtaining Consent: Your terms of consent must be clear. This means that you can’t stuff your terms and conditions with complex language designed to confuse your users. Consent must be easily given and freely withdrawn at any time.

2. Timely Breach Notification: If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Failure to report breaches within this timeframe will lead to fines.

3. Right to Data Access: If your users request their existing data profile, you must be able to serve them with a fully detailed and free electronic copy of the data you’ve collected about them. This report must also include the various ways you’re using their information.

4. Right to Be Forgotten: Also known as the right to data deletion, once the original purpose or use of the customer data has been realized, your customers have the right to request that you totally erase their personal data.

5. Data Portability: This gives users rights to their own data. They must be able to obtain their data from you and reuse that same data in different environments outside of your company

6. Privacy by Design: This section of GDPR requires companies to design their systems with the proper security protocols in place from the start. Failure to design your systems of data collection the right way will result in a fine.

7. Potential Data Protection Officers: In some cases, your company may need to appoint a data protection officer (DPO). Whether or not you need an officer depends upon the size of your company and at what level you currently process and collect data.


CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.

Our FREE Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.



bottom of page