CHAPTER 1: POPIA’S PLACE IN THE GRAND SCHEME OF GOVERNANCE
- POPIA in the greater governance context
- Roles and responsibilities within the organisation
- Documenting POPIA compliance
CHAPTER 2: LAWS AND SAUSAGES: THE PURPOSE AND INTERPRETATION OF POPIA
- POPIA as principle-based legislation
- What you can take into account when you do ‘purposive interpretation’
- Considering international guidelines and foreign law
- The (competing) purposes of POPIA
- Key concepts in POPIA that bring balance to the force
- When POPIA and other South African legislation collide
CHAPTER 3: THE APPLICATION AND SCOPE OF POPIA
- When does POPIA apply?
- When does POPIA not apply?
- When did POPIA come into effect?
- Does POPIA apply retrospectively?
CHAPTER 4: WHO IS HELD ACCOUNTABLE FOR POPIA COMPLIANCE
- The role of ‘accountability’: A quick overview of who will be held liable
- When to determine accountability
- How to identify operators and what they are accountable for
- Identifying co-responsible parties
- How to distinguish employees from responsible parties and operators
- Some practical examples of how to apply the definitions
CHAPTER 5: INFORMATION SECURITY MANAGEMENT
- POPIA is not an IT project or (just) about cybersecurity
- Who is responsible for information security?
- What responsible parties must protect personal information against
- What does POPIA require of responsible parties?
- When the POPIA strikes the fan
CHAPTER 6: PROCESSING MUST BE FOR A LAWFUL PURPOSE
- Defining the purpose for processing
- Do any of the legal justifications apply?
CHAPTER 7: SPECIAL PERSONAL INFORMATION AND CHILDREN’S PERSONAL INFORMATION
- Identifying special personal information
- When will the processing of special personal information be authorised?
- Specific authorisations for certain types of special personal information
- Processing the personal information of children
CHAPTER 8: WHEN THE INFORMATION REGULATOR MUST BE APPROACHED FOR PRIOR AUTHORISATION
- When is prior authorisation required?
- How must the responsible party obtain prior authorisation?
- No prior authorisation is required by industries governed by a code of conduct
- Consequences of not obtaining prior authorisation
CHAPTER 9: MINIMALITY AND INFORMATION QUALITY
- The role of minimality in data protection: The ‘less is more’ principle
- The relationship between minimality, information quality, information security and records management
- Unpacking minimality
- How long is a piece of string: the quality standard required by POPIA
CHAPTER 10: COLLECTING AND CREATING PERSONAL INFORMATION
- Overview of collection
- Collecting personal information from the data subject directly (the default rule)
- When collecting personal information from other sources will be justified
- Creating or generating personal information
- Some typical case studies
CHAPTER 11: NOTIFICATION TO DATA SUBJECTS
- About the condition of openness
- What do responsible parties need to disclose?
- When the notification should be made
- How the notification should happen
- Exceptions to the notification duty
- A comparison between POPIA and PAIA notification requirements
- Trust marks, privacy seals and POPIA certification
CHAPTER 12: FURTHER PROCESSING OF PERSONAL INFORMATION (SECONDARY USE)
- Why a further processing limitation?
- The role of the concept of compatibility in POPIA
- Assessing general compatibility with the original purpose
- When processing for a new purpose is automatically justified
- Further processing of personal information created by the responsible party
- Consequences of incompatibility
CHAPTER 13: ASSESSING SHARING PERSONAL INFORMATION BETWEEN ORGANISATIONS
- What do we mean by ‘sharing’?
- What does POPIA say about sharing
- How do the principles in POPIA apply to sharing?
- Information matching programmes
- Some typical sharing case studies
CHAPTER 14: TRANSBORDER INFORMATION FLOWS AND EXTRA-TERRITORIAL APPLICATION
- Transborder information flows
- Extra-territorial application of data protection laws
- Disclosing transborder information flows
CHAPTER 15: PROFILING, AUTOMATED DECISION-MAKING AND 1984
- What are profiling and automated decision-making?
- When automated decisions are allowed
- How the other principles in POPIA apply to profiling and automated decisions
CHAPTER 16: DIRECT MARKETING
- What to expect when you are expecting to spam
- What is direct marketing?
- What is electronic communication and why does it matter?
- Unsolicited direct marketing
- Electronic direct marketing to data subjects who are already customers
- Unsubscribing from direct marketing (and getting out of roach motels)
- Sending direct marketing on behalf of someone else
- What about other legislation that applies to direct marketing
CHAPTER 17: RECORDS MANAGEMENT
- What is a record?
- Destruction or de-identification of records
- Restriction of processing
CHAPTER 18: DATA SUBJECT RIGHTS
- Data subject request procedures
- The right to access your personal information
- The right to correct or delete personal information
- The right to withdraw consent
- The right to object to processing
- The right not to be subject to automated decision-making
- The right to object in relation to directories
- Does POPIA give data subjects the right to data portability?
- Rights that are discussed in other chapters
CHAPTER 19: ENFORCEMENT OF POPIA
- Is it a bird? Is it a plane? No, it’s the Information Regulator!
- The powers, duties and functions of the Information Regulator
- The status of guidance notes issued by the Regulator
- Codes of conduct
- Investigating complaints
- Investigations initiated by the Information Regulator
- Assessments by the Information Regulator
- Enforcement of PAIA: Here be dragons
- Offenses, penalties and fines
- Civil liability
CHAPTER 20: HOW TO IMPLEMENT A POPIA PROGRAMME
- An overview of a (POPIA) compliance framework
- Personal information impact assessments
- Internal measures to process requests for information or access thereto
- Providing training
- Privacy management software
- How on earth must a small business do this?