Editor’s note: This article is from the xneelo archive and some information may have changed since publication.
Data privacy is crucial for website owners for several important reasons, including trust and reputation, risk management, and ethical responsibility. But protecting sensitive company and customer data is so much more than a nice-to-have. Privacy regulations like the Protection of Personal Information Act (POPIA) and the General Data Protection Regulation (GDPR) may require website owners to make changes to their business practices.
In this article, we break down what these regulations entail and what you as a website owner need to know.
What is POPIA?
POPI stands for Protection of Personal Information. POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013 or the POPI Act.
The POPI Act was passed by the South African National Assembly, to promote and ensure the protection of personal information by public and private bodies in South Africa.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on 25 May 2018. It aims to strengthen the security and protection of personal data in the EU.
This law determines how companies must process, protect and notify their customers about their personal data. This includes all aspects of collecting, storing, transferring or using personal data. It includes anyone living in the European Union.
Why is this European law important for South African business?
Global trade has resulted in cross-continental data exchange. The manner in which data is collected, processed, stored and transferred has serious implications for the privacy and security of individuals. If you have an online business, you could have customers in multiple countries, including the EU. This legislation affects you, as it has been designed to protect your customers.
“I have a small business. Does this really affect my business?”
The answer is a resounding “Yes!” If you collect and process your customers’ data, then you need to be GDPR and POPIA-compliant.
Imagine you own a small guesthouse and you have an online booking system. Your guests from all over the world, including the UK and Europe, are able to book accommodation at your guesthouse online. In terms of the GDPR, you are a data controller. Your online process requires collection of their personal data upfront (name, address, email, phone number, passport/ID, credit card details etc.) captured on an online booking form and stored on your server. Therefore, you need to be GDPR and POPIA-compliant.
If your online booking is processed through a third party (or data processor) such as Booking.com or tripadvisor.co.za (meaning that they collect the personal data on your behalf and then pass it on to you), then they - and you -need to be compliant.
Is xneelo GDPR compliant?
The short answer is yes. While we only have a small number of EU customers, we take the protection of our customers’ personal data very seriously. We comply with the relevant data protection laws as set out in the GDPR.
What’s important is that we have no access to our customers’ data, neither do we have access to the data that our customers collect from theirs.
How do POPI, POPIA and GDPR relate to each other?
While GDPR focuses on the data of an individual, POPIA focuses on individuals and companies in South Africa. The great news is that if your business is GDPR compliant, then you are well on your way to POPIA compliance.
Are you a data processor, data controller, or both?
In terms of the GDPR, a data controller is the party that determines the reasons, conditions and methods of extracting and processing personal data. The processor is the party that processes personal data on behalf of the controller.
It’s for our protection
They may seem to create a steady stream of red tape, which is time-consuming and expensive. However, let us not forget the reasons that Acts like the GDPR and POPIA exist. They are there to ensure that the personal information of ordinary people is protected and secure, and handled with respect and discretion. Ultimately, we will all benefit from these laws.
Read more at our Help Centre, the GDPR website or see the POPI Act.
