Back to Home

Data Compliance for Schools in South Africa


Personal Data Compliance in Schools

All schools in South Africa process a large amount of “personal identifiable information” (“PI”). This PI data includes any sort information which could identify a particular person and their linked information such as identity information, email address or banking details. It is essential to the functioning of a school to understand who its students, service providers and supporting networks are. But whenever a school uses, records or stores this personal information, this is regarded as “processing” under new South African and foreign data protection and privacy laws. These laws are trying to put the control over people’s personal information, especially the data relating to minors, back into the hands of the people themselves.

Many South African schools and companies have now heard of the Protection of Personal Information Act No.4 of 2013 (“POPI”); a South African law which creates duties and obligations for any person or company who stores, records, uses or sells the personal information of any person or company in South Africa. Right now, POPI is almost entirely in force and it requires entities who process PI, such as schools, to follow mandatory data protection rules. But many schools may not be aware that European Union (“EU”) data protection laws – the General Data Protection Regulation (“GDPR”) – may simultaneously apply them if they process the PI of a EU citizen or company, which they certainly do every time they host an EU exchange student, contract with an EU school, or even allow an EU citizen to submit a query on their South African website.

Who does POPI and GDPR apply to?

If a South African entity – such as a school – processes the personal information of a South African or an EU citizen (regardless of the EU citizen’s physical location at the time), it must adhere to the South African and EU laws on data protection. Although POPI is not yet in full effect and will only fully apply in the near future, GDPR is already in force as of May 2018. GDPR dictates duties for both the party responsible for the handling and direction of PI (the “Data Controller”), such as a school, as well as for any contracted third party who processes the PI (the “Processor”) on behalf of a school, such as social media or email controllers used by a school.

What happens if you do NOT comply with data laws?

Penalties for non-compliance with local and foreign data laws can be substantial. Apart from attracting heavy monetary fines, a school could fail to secure investment or be able to facilitate exchange programmes if they do not comply with POPI and GDPR. Non-compliant schools could even have their websites shut down or be prohibited from contracting with EU entities.

How to best comply?

If your school’s operations trigger your role as a Data Controller or Processor, you will need to ensure that your school has a comprehensive Data Protection and Personal Information Policy to not only provide all the POPI and GDPR’s mandatory information, but also to ensure that you are correctly implementing the data rights as per the POPI and GDPR requirements for your school’s role in the processing chain. If your school is contracting with an EU partner school, it is essential that data processing roles and duties in line with data laws are comprehensively detailed in any service level agreement you may have in place with them.

How Legalese can help?

Being experts in data protection and personal information privacy, Legalese can draft your mandatory policies and forms to satisfy compliance with both POPI and GDPR and train your staff to understand the paradigm shift towards data protection required by these new laws. We can also ensure that all of your contracts with EU partner schools or students are GDPR-compliant. These new data laws require a fundamental change in school operations, made
simple by Legalese’s comprehensive, understandable and affordable approach.

Drop us a line on for more information.

Contact us
close slider