{"id":2629,"date":"2020-07-28T15:36:18","date_gmt":"2020-07-28T14:36:18","guid":{"rendered":"https:\/\/staging.techgdpr.com\/?p=2629"},"modified":"2024-02-22T17:10:00","modified_gmt":"2024-02-22T16:10:00","slug":"a-comparison-of-popia-and-gdpr-in-key-areas","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/","title":{"rendered":"A Comparison of POPIA and GDPR in Key Areas"},"content":{"rendered":"\n<p><span style=\"color: #000000;\">South Africa&#8217;s <a style=\"color: #000000;\" href=\"https:\/\/popia.co.za\">Protection of Personal Information Act<\/a> (POPIA) will see its final sections go into effect on 30 June 2021. Furthermore, parties subject to POPIA must be fully compliant with the guidelines by 1 July 2021. A number of them may have a head start if they already adhere to established data protection guidelines such as the European Union&#8217;s General Data Protection Regulation (GDPR). However, they may still be unaware about the extent to which they must adapt to POPIA. This article therefore provides a comparison of POPIA and GDPR to provide a helpful guide for parties subject to both regulations.<\/span><\/p>\n\n\n\n<p><span style=\"color: #000000;\">GDPR and POPIA are fairly similar overall, albeit with some differences in terminology, organisation of the respective articles, and greater specificity on the part of GDPR.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"color: #000000;\">Key Definitions in GDPR and POPIA<\/span><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\n<h4><span style=\"color: #000000;\"><strong>Key Terms<br><\/strong><\/span><\/h4>\n<\/td><td>\n<h4><span style=\"color: #000000;\"><b>Definition<\/b><\/span><\/h4>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Personal information (POPIA) <\/strong><\/span><\/h5>\n<h5><span style=\"color: #000000;\"><strong>Personal data (GDPR)<br><\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">Information relating to an identifiable, living, and natural person.<\/span>\n<p><span style=\"color: #000000;\"><em><strong>POPIA also includes juristic persons, where applicable.<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Processing<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information. This includes:<\/span>\n<ul>\n<li><span style=\"color: #000000;\">Collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use<\/span><\/li>\n<li><span style=\"color: #000000;\">Dissemination by means of transmission, distribution or making available in any other form<\/span><\/li>\n<li><span style=\"color: #000000;\">Merging, linking, as well as restriction, degradation, erasure or destruction of information<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Consent<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.<\/span>\n<p><span style=\"color: #000000;\"><em><strong>POPIA also mentions that it is \u201csubject to interpretation regarding what constitutes a voluntary expression of will\u201d<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Data Subject<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">The person to whom personal information relates.<\/span><\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><b>Responsible Party (POPIA) Data Controller (GDPR)<\/b><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">A public, private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.<\/span><\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><b>Data Processor (GDPR)<\/b><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.<\/span>\n<p><span style=\"color: #000000;\"><em><strong>There is no concept of a data processor in POPIA, so the responsible party appears to be the sole party liable for POPIA violations.<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><b>Information Regulator (POPIA) <\/b><\/span><\/h5>\n<h5><span style=\"color: #000000;\"><b>Supervisory Authority (GDPR)<\/b><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">A juristic person with jurisdiction throughout the republic\/member state, is subject only to the constitution, must perform its functions in accordance with POPIA\/GDPR, and is accountable to the National Assembly.<\/span>\n<p><span style=\"color: #000000;\"><em><strong>A key difference between the Information Regulator and Supervisory Authority is explained below. <\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Information Officer<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">South Africa\u2019s pre-existing data protection regulation established under the Promotion of Access to Information Act (PAIA). The responsible party is obliged to notify the designation of the Information Officer to the Regulator. Responsibilities of the IO include:<\/span>\n<ul>\n<li><span style=\"color: #000000;\">Encouraging compliance with POPIA and the conditions for lawful processing<\/span><\/li>\n<li><span style=\"color: #000000;\">Dealing with any request made to the organisation.<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><em><strong>However, it is unclear what &#8220;any request\u201d covers. <\/strong><\/em><\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\">Cooperating with the Information Regulator in respect of any investigation<\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><em><strong>The comparable GDPR term is the Data Protection Officer. However, the IO is responsible for ensuring compliance with POPIA while the DPO must supervise and consult, but remain independent.<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><b>Deputy Information Officer<\/b><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">A person(s) to be designated in accordance with Art. 56 to help the Information Officer perform his\/her tasks.<b>&nbsp;<\/b><\/span>\n<p><span style=\"color: #000000;\"><em><strong>There is no mention of a comparable person in This is not set out in the GDPR.<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td rowspan=\"2\">\n<h5><span style=\"color: #000000;\"><b>Special Personal Information (POPIA)<\/b><\/span><\/h5>\n<h5><span style=\"color: #000000;\"><b>Special Categories of Personal Data (GDPR)<br><\/b><\/span><\/h5>\n<\/td><td rowspan=\"2\"><span style=\"color: #000000;\">The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.<\/span>\n<p><span style=\"color: #000000;\">The criminal behaviour of a data subject to the extent that such information relates to alleged offenses. Additionally, a<\/span><span style=\"color: #000000;\">ny proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.<\/span><\/p>\n<p><span style=\"color: #000000;\"><b><i>POPIA and GDPR have the same content here, but POPIA puts criminal offenses under the category of special personal information, while the GDPR dissociates the two concepts.<br><\/i><\/b><\/span><\/p>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"color: #000000;\">A key difference between the Information Regulator (POPIA) and the Supervisory Authority (GDPR)<\/span><\/h2>\n\n\n\n<p><span style=\"color: #000000;\">Responsible parties under POPIA must obtain authorisation from the Regulator in order to:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: #000000;\">process:<\/span>\n<ul class=\"wp-block-list\">\n<li><span style=\"color: #000000;\">unique identifiers of data subjects for a purpose other than the one specifically intended at collection and with the aim of linking the identifiers with those processed by other responsible parties<\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\">information on criminal behaviour or on unlawful\/objectionable conduct on behalf of third parties<\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\">information for the purpose of credit reporting<\/span><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span style=\"color: #000000;\">transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.<\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\">The above provisions may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.<\/span><\/li>\n<\/ul>\n\n\n\n<p><span style=\"color: #000000;\"><em><strong>In comparison, the GDPR\u2019s Supervisory Authority only monitors GDPR compliance<\/strong><\/em><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"color: #000000;\">What are the <i>Conditions <\/i>(principles) for processing personal information in GDPR and POPIA?<\/span><\/h2>\n\n\n\n<p><span style=\"color: #000000;\">For both the GDPR and POPIA, <b>accountability<\/b> is the central principle for processing personal information. Under accountability, both regulations specify that the controller\/responsible party demonstrate compliance with the following conditions (principles):<\/span><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\n<h4><span style=\"color: #000000;\"><strong>Conditions\/Principles<\/strong><\/span><\/h4>\n<\/td><td>\n<h4><span style=\"color: #000000;\"><strong>Definition<\/strong><\/span><\/h4>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Processing Limitation<br><\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">Data must be processed lawfully and reasonably, adhering to the concept of minimality (minimisation in GDPR). In other words, the processing should be adequate, relevant and not excessive.<\/span>\n<p><span style=\"color: #000000;\">Collection must come directly from the data subject, except under certain specified circumstances.<\/span><\/p>\n<p><span style=\"color: #000000;\"><em><strong>Here, POPIA combines minimality and the requirement to collect data directly from the data subject, while GDPR puts these concepts under two articles.<\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Purpose specification (POPIA) <\/strong><\/span><\/h5>\n<h5><span style=\"color: #000000;\"><strong>Storage Limitation (GDPR)<br><\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">\u201cPersonal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.\u201d The data subject must be made aware of the purpose of the collection of the information barring certain exceptions outlined in section 18(4).<\/span>\n<p><span style=\"color: #000000;\">\u201cRecords of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected,\u201d expect for a legal requirement, contract etc.<\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Further Processing<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">Once data has been processed, further processing may only occur if the purpose of the further processing is compatible with the purpose for which it was collected.<\/span><\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Information Quality (POPIA) Accuracy (GDPR)<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">The responsible party must ensure the personal information to be complete, accurate, not misleading and updated.<\/span><\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Openness<\/strong><\/span><\/h5>\n<\/td><td>\n<ul>\n<li><span style=\"color: #000000;\">The responsible party must maintain the documentation of all processing operations<\/span><\/li>\n<li><span style=\"color: #000000;\">The responsible party, must ensure, at the time of collection, that the data subject is aware of:<\/span>\n<ul>\n<li><span style=\"color: #000000;\">The information collected and its source if not from the DS<\/span><\/li>\n<li><span style=\"color: #000000;\">The name and address of the responsible party<\/span><\/li>\n<li><span style=\"color: #000000;\">The purpose of collecting the information<\/span><\/li>\n<li><span style=\"color: #000000;\">Whether the information collection is mandatory or voluntary<\/span><\/li>\n<li><span style=\"color: #000000;\">The consequences of failure to provide the information<\/span><\/li>\n<li><span style=\"color: #000000;\">Any law requiring the collection of the information<\/span><\/li>\n<li><span style=\"color: #000000;\">Any intention of the responsible party to transfer the information to a third country and the level of protection afforded by that third country<\/span><\/li>\n<li><span style=\"color: #000000;\">Recipients of the information<\/span><\/li>\n<li><span style=\"color: #000000;\">The nature of the information<\/span><\/li>\n<li><span style=\"color: #000000;\">Their rights to object to the information processing and to officially lodge a complaint with the Information Regulator<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><em><strong>GDPR stipulates that \u201cthe controller shall provide\u201d the information above, but POPIA\u2019s terminology, <\/strong><strong>\u201caware of,\u201d makes<\/strong><strong> it harder to prove. As a result, responsible parties are held to less accountability.<br><\/strong><\/em><\/span><\/p>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Security Safeguards<\/strong><\/span><\/h5>\n<\/td><td><span style=\"color: #000000;\">The \u201cresponsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures\u201d (TOMs):<\/span>\n<ul>\n<li><span style=\"color: #000000;\">Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control<\/span><\/li>\n<li><span style=\"color: #000000;\">Establish and maintain appropriate safeguards against the risks identified<\/span><\/li>\n<li><span style=\"color: #000000;\">Regularly verify that the safeguards are effectively implemented<\/span><\/li>\n<li><span style=\"color: #000000;\">Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards<\/span><\/li>\n<\/ul>\n<\/td><\/tr><tr><td>\n<h5><span style=\"color: #000000;\"><strong>Data subject participation<\/strong><\/span><\/h5>\n<\/td><td>\n<ul>\n<li><span style=\"color: #000000;\">The right to access (after providing proof of identity)<\/span><\/li>\n<li><span style=\"color: #000000;\">Right to ask the responsible party to correct or delete personal information that is \u201cinaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.<\/span><span style=\"color: #000000;\"><br><\/span><\/li>\n<\/ul>\n<p><em><strong><span style=\"color: #000000;\">Data subject participation is further explained in the section below on the Rights of Data Subjects.<\/span><\/strong><\/em><\/p>\n<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span style=\"color: #000000;\">How does the scope of application of POPIA compare with that of the GDPR?<\/span><\/h2>\n\n\n\n<p><span style=\"color: #000000;\">POPIA and GDPR apply when the responsible party is:<\/span><br><b><\/b><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: #000000;\"><b>Domiciled<\/b> (established) in the Republic\/EU<\/span><\/li>\n\n\n\n<li><span style=\"color: #000000;\"><b>Not domiciled<\/b> in the Republic, but makes use of automated or non-automated means in th<\/span>e Republic with the exception of forwarding personal information.<\/li>\n<\/ul>\n\n\n\n<p><b><i>This scope is comparable to the EU&#8217;s pre-GDPR Directive-1995. However, the GDPR also applies when the data processed belongs to EU citizens, regardless of the headquarters of the controller\/processor, and when EU member state law applies due to international agreements.<\/i><\/b><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the exceptions to the prohibition on processing special personal information under POPIA and GDPR?<\/h2>\n\n\n\n<p>Under both POPIA and GDPR, responsible parties\/controllers may process special personal information if processing is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Carried<\/strong> out with the <i>consent <\/i>of a data subject<\/li>\n\n\n\n<li><strong>Necessary<\/strong> for the <i>establishment, exercise or defence of a right <\/i>or obligation in law<\/li>\n\n\n\n<li><strong>Necessary<\/strong> in order to comply with an <i>obligation <\/i>of international public law<\/li>\n\n\n\n<li><strong>For<\/strong><i>historical, statistical or research purposes <\/i>to the extent that\n<ul class=\"wp-block-list\">\n<li>the purpose serves a <i>public interest <\/i>and the processing is necessary for the purpose concerned<\/li>\n\n\n\n<li>it appears to be impossible or would involve a disproportionate effort to ask for consent<\/li>\n\n\n\n<li>sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent<\/li>\n\n\n\n<li>Information has deliberately been made <i>public <\/i>by the data subject<\/li>\n\n\n\n<li>Regulator has granted an authorisation upon application by the responsible party on the basis of public interest and established safeguards<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How does POPIA\u2019s justification of processing compare with the GDPR\u2019s legal bases<\/h2>\n\n\n\n<p>Under POPIA and GDPR, processing is justified when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consent is obtained by the data subject or a competent person when the data subject is a child<\/li>\n\n\n\n<li>processing is:\n<ul class=\"wp-block-list\">\n<li>necessary to carry out actions for the <i>conclusion or performance of a contract <\/i>to which the data subject is party<\/li>\n\n\n\n<li>complies with an <i>obligation <\/i>imposed by law on the responsible party<\/li>\n\n\n\n<li>necessary for the proper performance of a public law duty by a public body<\/li>\n\n\n\n<li>protects a legitimate interest of the data subject. <b><i>This might be interpreted to cover the data subject&#8217;s vital interest, a term the GDPR uses, but this is unclear.<\/i><\/b><\/li>\n\n\n\n<li>necessary for pursuing the legitimate interests of the responsible party to whom the information is supplied. <b><i>POPIA additionally covers the legitimate interests of third bodies here.<\/i><\/b><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Rights of data subjects<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\n<h5><strong>POPIA Rights<\/strong><\/h5>\n<\/td><td>\n<h5><strong>GDPR Equivalent &amp; nuances<\/strong><\/h5>\n<\/td><\/tr><tr><td>The right to be notified<\/td><td>Right to be informed<\/td><\/tr><tr><td>The right to access<\/td><td>Right to access<\/td><\/tr><tr><td>The right to request correction, deletion or destruction of personal information<\/td><td>Right to modify and right to erasure<\/td><\/tr><tr><td>The right to object\n<p>When the processing is justified by legitimate interests of data subject or of the responsible party.<\/p>\n<p>When the processing is for direct marketing purposes<\/p>\n<\/td><td>The right to object\n<p>When processing is necessary for the performance of a task carried out in the public interest<\/p>\n<p>When processing is necessary to fulfill the controller\u2019s legitimate interests<\/p>\n<\/td><\/tr><tr><td>The right to not have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications;<\/td><td>&nbsp;<\/td><\/tr><tr><td>The right to not be subject, under certain circumstances, to a decision which results in legal circumstances based solely on the basis of the automated processing.\n<p><em><strong>This is further discussed below in &#8220;Additional Remarks&#8221;<\/strong><\/em><\/p>\n<\/td><td>Right not to be subject to a decision based solely on automated processing<\/td><\/tr><tr><td>The right to complain to the Regulator<\/td><td>Right to lodge a complaint with the supervisory authority<\/td><\/tr><tr><td>The right to effective judicial remedy<\/td><td>Right to file proceedings against a controller or a processor<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How does POPIA compare with GDPR in the following circumstances?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Processing for the purpose of direct marketing<\/h3>\n\n\n\n<p>In POPIA and GDPR, the processing of personal information of a data subject<i> for the purpose of direct marketing by means of any form of electronic communication<\/i>, including automatic calling machines, facsimile machines, SMSs or e-mail <em>is prohibited.<\/em> Exceptions to this prohibition are when the data subject has consented to the processing or is a customer of the responsible party subject to <i>subjection<\/i><b>.<\/b> In other words, the responsible party has obtained the contact details of the data subject in the context of the sale of a product\/service and they are marketing similar products\/services.<\/p>\n\n\n\n<p>Additionally, it is essential that the data subject be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to direct marketing related use of their electronic details. Direct marketing communication must accordingly contain the details and identity of the sender in addition to an address or other contact information to which the recipient may request that such communicat<span style=\"color: #000000;\">ions cease.<\/span><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Transfers outside of Republic under POPIA<\/h3>\n\n\n\n<p>The responsible party must not transfer personal information to a <i>third party in a foreign country<\/i> aside from the following exceptions.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>\n<h5><strong>Transfer Exceptions<\/strong><\/h5>\n<\/td><td>\n<h5><strong>Remarks<\/strong><\/h5>\n<\/td><\/tr><tr><td>The third party recipient is subject to a law, binding corporate rules \u2013 in other words, policies within a group of undertakings \u2013 or a binding agreement which provides an adequate level of protection.<\/td><td>Although very similar to the GDPR, there is no certainty as to what a binding agreement refers to. For example, it could be equivalent to the GDPR or it could actually look more like the GDPRs&#8217; Standard Contractual Clauses<\/td><\/tr><tr><td>Consent of the data subject.<\/td><td>In the GDPR, consent of the data subject is also a clear exception allowing for transfers outside of the EU that are not covered by appropriate safeguards.<\/td><\/tr><tr><td>Necessary in order to perform a contract.<\/td><td>This will undoubtedly be a source of debate. Responsible parties will likely consider their own business choices to be necessary.<\/td><\/tr><tr><td>The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject for that transfer. Lastly, if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.<\/td><td>This exception expects responsible parties to display a high standard of moral conduct relying on the objective assessment of what is &#8220;reasonably practical.&#8221; Moreover, it stipulates the ability of the controller to conduct an objective assessment of that data subject&#8217;s likelihood to give consent.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Additional Remarks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Regulator may exempt any responsible party from compliance with POPIA for the purpose of satisfying public interest or for the benefit of the data subject.<\/li>\n\n\n\n<li>Automated decision making is not based on the data subject\u2019s consent but rather on a contract or law\/code of conduct. Moreover, POPIA safeguards for automated decision making are narrower than in the GDPR. While POPIA provides only a possibility to make representations, GDPR provides a trio of rights related to automated decision making: obtain human intervention, express the point of view, and appeal the decision.<\/li>\n\n\n\n<li>Responsible parties under POPIA are able to process personal data in the event that the processing is deemed to be in the data subject\u2019s <em>legitimate interest<\/em><i>.<\/i> However, the phrasing of this concept is ambiguous. Consequently, it will likely become a source of abuse. For instance, a clear line of defence for businesses is to argue that they have <i>actually <\/i>evaluated the data subject\u2019s interest. Similarly, customary <i>assessments of interests <\/i>done by marketing departments are reflected in cookie banners like this one.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/image2-300x72.png\" alt=\"Cookie Banner\"\/><\/figure>\n<\/div>\n\n\n<p>In the long run, as a cultural shift towards more privacy takes place, friction will increase between individuals who want more privacy and organisations who want more data. Accordingly, regulations like POPIA and the GDPR are essential for working through this friction.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>South Africa&#8217;s Protection of Personal Information Act (POPIA) will see its final sections go into effect on 30 June 2021. Furthermore, parties subject to POPIA must be fully compliant with the guidelines by 1 July 2021. A number of them may have a head start if they already adhere to established data protection guidelines such [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":2682,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[10,60,53],"tags":[45,35,73,69],"class_list":["post-2629","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-eu","category-regulation","category-terminology","tag-europe","tag-gdpr","tag-popia","tag-south-africa"],"acf":[],"featured_image_urls":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-300x186.png",300,186,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-768x477.png",640,398,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-1024x635.png",640,397,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",200,124,false]},"post_excerpt_stackable":"<p>South Africa&#8217;s Protection of Personal Information Act (POPIA) will see its final sections go into effect on 30 June 2021. Furthermore, parties subject to POPIA must be fully compliant with the guidelines by 1 July 2021. A number of them may have a head start if they already adhere to established data protection guidelines such as the European Union&#8217;s General Data Protection Regulation (GDPR). However, they may still be unaware about the extent to which they must adapt to POPIA. This article therefore provides a comparison of POPIA and GDPR to provide a helpful guide for parties subject to both&hellip;<\/p>\n","category_list":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/beyond-eu\/\" rel=\"category tag\">Beyond EU<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/regulation\/\" rel=\"category tag\">Regulation<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/terminology\/\" rel=\"category tag\">Terminology<\/a>","author_info":{"name":"Ella Russell","url":"https:\/\/techgdpr.com\/blog\/author\/ella\/"},"comments_num":"0 comments","featured_image_urls_v2":{"full":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"thumbnail":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-150x150.png",150,150,true],"medium":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-300x186.png",300,186,true],"medium_large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-768x477.png",640,398,true],"large":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec-1024x635.png",640,397,true],"1536x1536":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"2048x2048":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",1128,700,false],"image-200-200":["https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png",200,124,false]},"post_excerpt_stackable_v2":"<p>South Africa&#8217;s Protection of Personal Information Act (POPIA) will see its final sections go into effect on 30 June 2021. Furthermore, parties subject to POPIA must be fully compliant with the guidelines by 1 July 2021. A number of them may have a head start if they already adhere to established data protection guidelines such as the European Union&#8217;s General Data Protection Regulation (GDPR). However, they may still be unaware about the extent to which they must adapt to POPIA. This article therefore provides a comparison of POPIA and GDPR to provide a helpful guide for parties subject to both&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/techgdpr.com\/blog\/category\/beyond-eu\/\" rel=\"category tag\">Beyond EU<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/regulation\/\" rel=\"category tag\">Regulation<\/a>, <a href=\"https:\/\/techgdpr.com\/blog\/category\/terminology\/\" rel=\"category tag\">Terminology<\/a>","author_info_v2":{"name":"Ella Russell","url":"https:\/\/techgdpr.com\/blog\/author\/ella\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A Comparison of POPIA and GDPR in Key Areas - TechGDPR<\/title>\n<meta name=\"description\" content=\"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Comparison of POPIA and GDPR in Key Areas - TechGDPR\" \/>\n<meta property=\"og:description\" content=\"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/\" \/>\n<meta property=\"og:site_name\" content=\"TechGDPR\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-28T14:36:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-22T16:10:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1128\" \/>\n\t<meta property=\"og:image:height\" content=\"700\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ella Russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:site\" content=\"@techgdpr\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ella Russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/\"},\"author\":{\"name\":\"Ella Russell\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/5042c912b7524cf121746797e7343fe8\"},\"headline\":\"A Comparison of POPIA and GDPR in Key Areas\",\"datePublished\":\"2020-07-28T14:36:18+00:00\",\"dateModified\":\"2024-02-22T16:10:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/\"},\"wordCount\":2623,\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/europe_sa_flag_sec.png\",\"keywords\":[\"Europe\",\"GDPR\",\"POPIA\",\"south africa\"],\"articleSection\":[\"Beyond EU\",\"Regulation\",\"Terminology\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/\",\"name\":\"A Comparison of POPIA and GDPR in Key Areas - TechGDPR\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/europe_sa_flag_sec.png\",\"datePublished\":\"2020-07-28T14:36:18+00:00\",\"dateModified\":\"2024-02-22T16:10:00+00:00\",\"description\":\"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#primaryimage\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/europe_sa_flag_sec.png\",\"contentUrl\":\"https:\\\/\\\/techgdpr.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/europe_sa_flag_sec.png\",\"width\":1128,\"height\":700},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/a-comparison-of-popia-and-gdpr-in-key-areas\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/techgdpr.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Comparison of POPIA and GDPR in Key Areas\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#website\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"name\":\"TechGDPR\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/techgdpr.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#organization\",\"name\":\"TechGDPR\",\"url\":\"https:\\\/\\\/techgdpr.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"contentUrl\":\"https:\\\/\\\/staging.techgdpr.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/TGDPR_logo_500px.png\",\"width\":501,\"height\":334,\"caption\":\"TechGDPR\"},\"image\":{\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/techgdpr\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/techgdpr\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/techgdpr.com\\\/#\\\/schema\\\/person\\\/5042c912b7524cf121746797e7343fe8\",\"name\":\"Ella Russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g\",\"caption\":\"Ella Russell\"},\"url\":\"https:\\\/\\\/techgdpr.com\\\/blog\\\/author\\\/ella\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Comparison of POPIA and GDPR in Key Areas - TechGDPR","description":"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/","og_locale":"en_US","og_type":"article","og_title":"A Comparison of POPIA and GDPR in Key Areas - TechGDPR","og_description":"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.","og_url":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/","og_site_name":"TechGDPR","article_published_time":"2020-07-28T14:36:18+00:00","article_modified_time":"2024-02-22T16:10:00+00:00","og_image":[{"width":1128,"height":700,"url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png","type":"image\/png"}],"author":"Ella Russell","twitter_card":"summary_large_image","twitter_creator":"@techgdpr","twitter_site":"@techgdpr","twitter_misc":{"Written by":"Ella Russell","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#article","isPartOf":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/"},"author":{"name":"Ella Russell","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/5042c912b7524cf121746797e7343fe8"},"headline":"A Comparison of POPIA and GDPR in Key Areas","datePublished":"2020-07-28T14:36:18+00:00","dateModified":"2024-02-22T16:10:00+00:00","mainEntityOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/"},"wordCount":2623,"publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png","keywords":["Europe","GDPR","POPIA","south africa"],"articleSection":["Beyond EU","Regulation","Terminology"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/","url":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/","name":"A Comparison of POPIA and GDPR in Key Areas - TechGDPR","isPartOf":{"@id":"https:\/\/techgdpr.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#primaryimage"},"image":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#primaryimage"},"thumbnailUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png","datePublished":"2020-07-28T14:36:18+00:00","dateModified":"2024-02-22T16:10:00+00:00","description":"Businesses engaged with South Africa must be compliant with POPIA by 1 July 2021. However, a comparison of GDPR and POPIA reveals significant similarities.","breadcrumb":{"@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#primaryimage","url":"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png","contentUrl":"https:\/\/techgdpr.com\/wp-content\/uploads\/2020\/07\/europe_sa_flag_sec.png","width":1128,"height":700},{"@type":"BreadcrumbList","@id":"https:\/\/techgdpr.com\/blog\/a-comparison-of-popia-and-gdpr-in-key-areas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/techgdpr.com\/"},{"@type":"ListItem","position":2,"name":"A Comparison of POPIA and GDPR in Key Areas"}]},{"@type":"WebSite","@id":"https:\/\/techgdpr.com\/#website","url":"https:\/\/techgdpr.com\/","name":"TechGDPR","description":"","publisher":{"@id":"https:\/\/techgdpr.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/techgdpr.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/techgdpr.com\/#organization","name":"TechGDPR","url":"https:\/\/techgdpr.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/","url":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","contentUrl":"https:\/\/staging.techgdpr.com\/wp-content\/uploads\/2018\/04\/TGDPR_logo_500px.png","width":501,"height":334,"caption":"TechGDPR"},"image":{"@id":"https:\/\/techgdpr.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/techgdpr","https:\/\/www.linkedin.com\/company\/techgdpr"]},{"@type":"Person","@id":"https:\/\/techgdpr.com\/#\/schema\/person\/5042c912b7524cf121746797e7343fe8","name":"Ella Russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/acd244131c2d2d6ce70bac5e7c7ef3a72ef1bc9fe818b74f3238d055bf28246c?s=96&d=mm&r=g","caption":"Ella Russell"},"url":"https:\/\/techgdpr.com\/blog\/author\/ella\/"}]}},"_links":{"self":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/comments?post=2629"}],"version-history":[{"count":16,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2629\/revisions"}],"predecessor-version":[{"id":8122,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/posts\/2629\/revisions\/8122"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media\/2682"}],"wp:attachment":[{"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/media?parent=2629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/categories?post=2629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techgdpr.com\/wp-json\/wp\/v2\/tags?post=2629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}