In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers who’s responsible for POPIA and what will happen if they don’t comply.

POPIA Q&A: Who’s Responsible for POPIA & What will Happen if They Don’t Comply? | POPIA Compliance

Who’s Responsible for POPIA Q&A:

Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.

It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.

But all circumstances are different; it’s best to seek legal advice for clarity.

POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.

In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.

Make sure your contracts with your clients are clear on this to manage expectations.

From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.