Legal & Compliance

POPIA vs GDPR: What South African Businesses Exporting to Europe Need to Know

South African businesses serving European clients must navigate both POPIA and GDPR. Learn the key similarities, differences, and what extra steps are required.

Two laws, one business — it happens more than you'd think

A Cape Town software agency with clients in the Netherlands. A Johannesburg consultancy billing a London firm. A South African e-commerce store shipping to Germany. Each of these businesses may need to comply with both POPIA and GDPR at the same time — something most South African owners have never been told about.

When does GDPR apply to a South African business?

GDPR applies if you offer goods or services to people in the EU or UK — even with no physical presence there. Advertising in euros or pounds, translating your website into European languages, or invoicing European clients are indicators that GDPR applies. GDPR also applies if you monitor the behaviour of EU or UK visitors through website analytics.

Where POPIA and GDPR align

POPIA was modelled partly on European data protection principles. Genuine POPIA compliance gives you most of the GDPR groundwork: both require a lawful basis for processing, transparency through a privacy notice, data security, retention limits, individual access rights, and appropriate contracts with third-party processors.

Where GDPR goes further

Data portability: GDPR gives individuals the right to receive their data in a structured, machine-readable format. POPIA does not include this right. 72-hour breach notification: POPIA requires notification "as soon as reasonably possible" — GDPR is strict at 72 hours. Records of Processing Activities: GDPR formally requires documented ROPA records; POPIA does not. Data transfers to South Africa from Europe: South Africa is not yet on the EU or UK adequacy list, meaning you need Standard Contractual Clauses in contracts with European clients where their data flows to SA servers.

Key comparison

POPIA fines reach R10 million; GDPR fines reach €20 million or 4% of global turnover. POPIA requires every business to register an Information Officer; GDPR only requires a DPO for high-risk processing. Both require lawful basis, privacy notices, security, retention limits, and data subject rights — the GDPR set is broader.

Practical steps for dual compliance

  1. Register your Information Officer with the SA Information Regulator — free and legally required under POPIA
  2. Update your privacy policy to cover both POPIA and GDPR rights, including data portability for European clients
  3. Add Standard Contractual Clauses to contracts with European clients where you process or store their personal data
  4. Set a 72-hour breach notification procedure — stricter than POPIA requires but covers both laws
  5. Document your processing in a simple ROPA listing what data you hold, why, and where