POPIA Q&A: Who’s Responsible for POPIA & What will Happen if they don’t Comply?

If the marketing department sends marketing to leads gathered by other departments and it turns out there wasn’t an opt in, who will get into trouble?

Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.

Can information officers be fined in their personal capacity?

It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.

But all circumstances are different; it’s best to seek legal advice for clarity.

I’m getting someone else’s statements by accident (15 to 20 per week). I have tried everything to get them to correct their email address, but to no avail. Now I’m just dumping them. Who is responsible?

The company that is sending you these statements is responsible and they can get into huge trouble – that is a data breach.

As an agency, where does the responsibility lie? If the client has guaranteed the compliance of their database to which the agency markets, can the agency take them at their word?

POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.

In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.

Make sure your contracts with your clients are clear on this to manage expectations.

If we are sending on behalf of a client, who is responsible for the protection of the data?

From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.

More information on the POPI act available here.