Most data protection laws like POPIA or GDPR refer to personal information or personal data as what needs to be protected. But what classifies as personal information according to the laws? I’ve put together a flow-chart to help you decide whether you have personal information in terms of the POPI Act (POPIA) or personal data in terms of the GDPR. Last week I wrote an article about complying with the GDPR, if you find you have personal data in terms of the GDPR, you may want to check it out to see whether you need to comply.
Between the GDPR and POPIA there are a few differences that you need to be aware of. One of the most glaring differences is that of Juristic Persons. In South Africa, POPIA covers these entities as having personal information. A juristic person can be a company, a trust, and basically any non-human legal entity. As such, you need to be considering and protecting personal information belonging to your suppliers and clients businesses, as well as individuals.
Special or Sensitive Information
Within both laws, there are pieces of information that are more sensitive than others. This kind of information is referred to as Special Personal Information in South Africa, or Sensitive Personal Data in the GDPR.
Sensitive Personal Data (GDPR Article 9)
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data (for identification)
- Health, sex life, and sexual orientation
Special Personal Information (POPIA Section 26)
- Religious of philosophical beliefs
- Race or ethnic origin
- Trade union membership
- Political persuasion
- Health or sex life
- Biometric information
- Criminal behaviour
As you can see, there’s a fair amount of overlap between the two, with differences in wording between biometrics, criminal behaviour, and sexual orientation. This type of information requires more care, and often has more hoops to jump through in order to process lawfully.
Minors (POPIA Section 34 & 35, GDPR Articles 6 & 8)
This is another very important part. If you are marketing to minors or providing services to minors, you need to take additional steps to protect the data and justify why you are processing. You will also likely need to get very explicit consent from a child’s guardian in order to process lawfully. It’s also very important to be aware that in the EU, the age defining a “child” may change from region to region.
Account Numbers (POPIA Section 105 & 106)
Lastly, we have another category of data in that of account numbers, particularly with regard to POPIA. Any unique identifier that can be used to gain access to funds or credit can be considered an account number, and additional protections need to be put in place around these. There are also greater penalties for this information being breached or remaining unprotected, with longer sentences and greater fines.
If you are processing personal information, you need to comply with local and international regulation. POPIA may not be in yet, but GDPR has already been active for over a year, with far reaching consequences and responsibilities! We at Ross G Saunders Consulting offer compliance services in conjunction with leading associates in the field. Contact us today to find out how we can help you make compliance easier without losing your own resources to the exercise.