POPIA Q&A: Who’s Responsible for POPIA & What Will Happen if They Don’t Comply?

In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers who’s responsible for POPIA and what will happen if they don’t comply.

Who’s Responsible for POPIA Q&A:

If the marketing department sends marketing to leads gathered by other departments and it turns out there wasn’t an opt in, who will get into trouble?

Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.

Can information officers be fined in their personal capacity?

It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.

But all circumstances are different; it’s best to seek legal advice for clarity.

I’m getting someone else’s statements by accident (15 to 20 per week). I have tried everything to get them to correct their email address, but to no avail. Now I’m just dumping them. Who is responsible?

The company that is sending you these statements is responsible and they can get into huge trouble – that is a data breach.

As an agency, where does the responsibility lie? If the client has guaranteed the compliance of their database to which the agency markets, can the agency take them at their word?

POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.

In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.

Make sure your contracts with your clients are clear on this to manage expectations.

If we are sending on behalf of a client, who is responsible for the protection of the data?

From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.

For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.

Related POPIA Q&As

Found this interesting? Share it!

Ready to transform your communication?

Everlytic isn’t just a platform, it’s your competitive edge! Sign up today to start creating more impactful, engaging communication with ease!
image of a laptop with email marketing analytics on the screen

Book A Demo

See Everlytic in action with a personalised walkthrough from one of our messaging experts.
person looking at their phone while very happy

Get Started

We’ve got a package for you, no matter where you are in your bulk communication journey.