People often wonder how a South African lawyer can know anything about European data protection law in the form of the GDPR having spent eight years practising law at the tip of Africa. The important thing is the type of law I’ve been practising and why I’ve been doing it. I’ve been practising international privacy compliance, particularly with the GDPR, because of the dire need and demand for it in South Africa. This need and demand exists because:
the EU is one of South Africa’s biggest trading partners;
the GDPR and South African data protection law have a similar legal heritage; and
the GDPR applies to organisations in South Africa.
I therefore have an in-depth knowledge of GDPR based on years of research into it and it’s predecessors (such at the UK Data Protection Act) and extensive experience helping mainly local clients in South Africa and some international clients comply with it and similar data protection laws.
Below is a detailed explanation of the main reasons why I’ve accumulated that research and experience.
The EU is one of South Africa’s biggest trading partners
The EU is one of South Africa’s biggest trading partners with our top three export countries in it generally being Germany, the United Kingdom and the Netherlands. I therefore have many clients who have to comply with the GDPR either in their own capacity as data controllers or a subset of its requirements that a DPA (Data Processing Agreement) imposes on them as a processor to ensure they can lawfully continue to serve the European market and avoid fines and penalties. This has caused me to become an expert in data processing agreements, cross-border data transfers and information security as the main privacy issues that impact on my clients’ ability to serve the EU market.
The GDPR and South African data protection law have a similar legal heritage
South African data protection law in the form of the Protection of Personal Information Act (POPIA) is cut from the same cloth as GDPR. The GDPR is more up-to-date and lacks certain idiosyncrasies that POPIA has for the South African market, but they’re both based on the same idea of principle-based privacy legislation from the international treaties of the 80’s, which were codified into the European Privacy Directive of 1995 and ended up in the EU’s regional data protection laws in the 90’s. In fact, POPIA bears a striking resemblance to the UK Data Protection Act from 1998 and has very similar wording to many if its sections.
POPIA has yet to commence despite being signed into law since 2013 and the supervisory authority in charge of it has yet to issue any meaningful guidance on it. This means that the desire for GDPR compliance has eclipsed the need for POPIA compliance for many of my early-adopter clients. I therefore spend much of my workday researching the GDPR as the most cutting-edge data protection law in the world to better interpret POPIA for my South African clients. I also read guidance from English-speaking supervisory authorities in Europe, such as ICO in the UK and the DPC in Ireland because there is currently no such guidance in South Africa.
The GDPR applies to organisations in South Africa
Article 3.2 of the GDPR says that it applies to the processing of EU data subjects’ personal data by a controller or processor that is not established in the EU, provided that the processing activities relate to offering goods or services to EU data subjects (irrespective of whether the data subject pays for those goods or services).
Many of my clients based in South Africa have to comply with the GDPR because they offer goods or services to EU data subjects. We’ve seen what happens to companies that don’t comply with the GDPR in Europe with massive fines levelled against British Airways, the Marriott Group and Facebook in recent years – and many listed or up-and-coming South African companies entrust me and my firm to stop them from suffering a similar fate.