The Privacy Variant

The Privacy Variant

In The Loop – Popia | Garlicke & Bousfield

You can apply for citizenship by descent or naturalization or by meeting the requirements as laid out by the governing country that you are applying to. This is a long, intensive process and one that will not always be positive.

Not so with COVID where during the last few months we have seen and heard media houses awarding citizenship to the various COVID variants by referring to the UK Variant or the Indian Variant or the SA Variant. These variants have been awarded nationality and citizenship without having to follow any process or having to meet any of the normal requirements that we are currently faced with.

Whilst this may be ‘too soon’ to find the humor, it is no laughing matter that, when dealing with data privacy, each country also has their own variant that one needs to be aware of when doing business in these countries, or with a citizen from these countries, or face the full wrath of the law.

Each data privacy variant housed separately by each country has similar yet very different requirements in terms of process and procedure.

USACalifornia Consumer Privacy Act (CCPA)

Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD)

India – India’s Personal Data Protection Bill (PDPB)

United Kingdom – General Data Protection Regulation, (GDPR)

South Africa – Protection of Personal Information Act ,2013 (POPIA)

The above is to name but a few of the privacy variants that are currently circulating globally.

The South African variant POPIA verses GDPR the UK variant

POPIA and the GDPR contain many similarities, particularly in regard to their material scope, key definitions, providing for data subject rights, and in their general approach to personal data protection. However, there are also substantial differences between POPIA and the GDPR. POPIA does not establish an explicit right to data portability, and it applies to juristic persons. There are also variations in what is defined as a special category of data, when data subject rights can be exercised, and how to respond to a data breach.

POPIA sets a pace worthy to be complied with known as the 8 conditions for processing personal information:

  • Accountability – ensuring the conditions for lawful processing of information are met.
  • Processing limitation – you must process personal information lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data subject’s consent, unless certain exceptions apply.
  • Purpose specification – you must process personal information for a specific purpose and adhere to the retention and restriction of records provisions in POPIA.
  • Further processing limitation – further processing of information must be compatible with the purpose of collection.
  • Information quality – you must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated.
  • Openness – you must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure that the data subject is aware of certain information.
  • Security safeguards – you must:
      1. secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable technical and organisational measures;
      2. in terms of a written contract, ensure that the operator, which processes personal information for you, establishes and maintains security measures; and
      3. as soon as reasonably possible after the discovery of a compromise, notify the Information Regulator and the data subject.
  • Data subject participation – Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.


Complying with these 8 conditions will give you the protection that you need to build up your immunity to regulatory fines and administrative sanctions which you could face.

In essence, no matter who or where you are, data privacy is international and requires your attention if you are an organization or a person processing personal information.


Telephone: +27 31 570 5465; Email:


Related News and Articles