POPIA Q&A: Who’s Responsible for POPIA & What Will Happen if They Don’t Comply?

Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.

It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.

But all circumstances are different; it’s best to seek legal advice for clarity.

The company that is sending you these statements is responsible and they can get into huge trouble – that is a data breach.

POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.

In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.

Make sure your contracts with your clients are clear on this to manage expectations.

From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.