GDPR & Data Protection Laws in Africa: A Comparison
What are the similarities and differences between GDPR and the data protection regulations enacted in African countries? We look at the situation in Kenya, Nigeria and South Africa.
Data doesn’t stop at national borders. It’s a global concern, which makes it crucial for businesses operating in diverse markets to understand regional data protection laws. In Africa, several countries have enacted their own legislation to safeguard personal data.
In this post, we explore data protection law in Nigeria, South Africa and Kenya, consider what data protection DNA they share with the EU’s General Data Protection Regulation (GDPR), and where they differ.
South Africa’s Protection of Personal Information Act (POPIA) 2013
POPIA regulates the processing of personal information in South Africa, emphasising transparency, consent, and the secure handling of data.
POPIA aligns closely with GDPR principles, including data subject rights, data minimization, and accountability, but not everything is consistent. Amongst the differences are the following:
◦ NDPR does not consider pseudonymised data (that is, processing of data which makes identification of the individual to whom it belongs impossible without additional, separate information). GDPR does.
◦ The requirement for consent in the processing of children’s personal data is required for all under-18s in South Africa. This only extends to under-16s (and in some cases, under-13s) with the GDPR.
◦ Although both pieces of legislation impose a responsibility on controllers to carry out impact assessments to ensure standards are imposed and maintained, the POPIA doesn’t go into specifics as to how to conduct that review. GDPR does.
◦ Unlike GDPR, POPIA contains no right to data portability.
Nigeria’s Data Protection Regulation (NDPR) 2019
The NDPR provides a legal framework for the protection of personal data in Nigeria, and places the emphasis on consent, data subject rights, and data security measures.
NDPR shares numerous similarities with GDPR, particularly in areas like data subject rights, purpose limitation, and accountability. Differences include:
◦ NDPR does not consider pseudonymised data. GDPR does.
◦ NDPR places no obligation on data processors to maintain records or processing activities. GDPR does.
◦ In the event of a data breach, GDPR requires data controllers to notify the relevant authorities. NDPR carries no such requirement (although it does impose numerous other measures).
Kenya’s Data Protection Act (DPA) 2019
DPA seeks to regulate the processing of personal data in Kenya, focusing on consent, purpose limitation, and data subject rights.
Kenya’s DPA exhibits parallels with GDPR, especially in terms of consent, data subject rights, and data security measures. There are, however, some distinct differences:
◦ Unlike GDPR (but like Nigeria’s DPR), the DPA does not require data controllers to keep records of their processing activities.
◦ While both pieces of legislation confer the right for data subjects to access their personal information, the DPA doesn’t offer much in the way of explanation about how a data subject might exercise that right.
◦ Both pieces of legislation confer the right to data portability, but the DPA presents the right in (arguably) simpler and broader terms than the GDPR.
◦ Enforcement (see below)
GDPR has an extraterritorial reach, which means that it applies to organisations worldwide processing the data of EU residents. African data protection laws typically apply within their respective jurisdictions but not beyond it.
While GDPR imposes substantial fines for non-compliance, enforcement mechanisms in African countries vary, ranging from fines to regulatory sanctions. Kenya’s maximum fine, for example, is 5 million shillings or 1% of annual turnover, but there is also the potential for up to two years’ imprisonment.
Does complying with African data protection laws guarantee compliance with GDPR?
No. Businesses complying with POPIA, NDPR and DPA principles will inevitably find it easier to align with GDPR requirements (you can find a complete guide to the General Data Protection Regulation here), because many of the building blocks of compliance will already be in place.
But as the above summary demonstrates, the differences are sufficient enough to ensure that compliance with one standard does not automatically mean compliance with another (whether that’s the GDPR or another African standard).
If you trade across Africa and the EU and process the data of EU and African citizens or residents, you’ll need to understand the intricacies of data protection frameworks in each territory to ensure you remain compliant, protect the data of your customers, and minimise organisational risk.
GDPRLocal can help. Get expert support in managing your data protection here, or call +44 1772 217800.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.
For many online businesses, data protection has become a critical concern. With the introduction of
Unraveling India’s Digital Personal Data Protection Bill 2023: A Comparative Study with GDPR – Part 2
In the first part of our blog series - India Enacted the Digital Personal Data Protection Bill in 2
Personal information is increasingly stored and shared online, making it essential to have secure m