Over-thinking POPIA contains everything you ever wanted, or didn’t want, to know about the Protection of Personal Information Act (POPIA). It traces the origin of almost every word in POPIA and is packed with insights – some philosophical, some academic, some practical and some downright silly.  Really, what does Dolly Parton know about contract management?

Just like the mighty octopus, this book has nine brains and eight arms, a frankly surprising level of intelligence, cunning disguises and loads of escape techniques. It shifts from meticulous comparative research to practical insight in seconds and covers every data privacy related topic imaginable – how to pronounce POPIA, what policies organisations should have, what reasonableness means, why consent is evil, when to apply for prior authorisation, how secure is secure enough, when is it okay to profile, where the word ‘spam’ came from, what Marié Kondo can teach us about records management and how hard it is to actually get fined R10 million (despite what all the legal professionals are saying).

This book will be useful (and hopefully amusing) to information officers, legal professionals, compliance officers, IT nerds, information governance geeks, regulators, professors and students.

Of all the things POPIA regulates, spam is probably the most controversial. We have made the chapter on Direct Marketing available for free. READ IT NOW

CHAPTER 1: POPIA’S PLACE IN THE GRAND SCHEME OF GOVERNANCE

• POPIA in the greater governance context
• Roles and responsibilities within the organisation
• Documenting POPIA compliance

CHAPTER 2: LAWS AND SAUSAGES: THE PURPOSE AND INTERPRETATION OF POPIA

• POPIA as principle-based legislation
• What you can take into account when you do ‘purposive interpretation’
• Considering international guidelines and foreign law
• The (competing) purposes of POPIA
• Key concepts in POPIA that bring balance to the force
• When POPIA and other South African legislation collide

CHAPTER 3: THE APPLICATION AND SCOPE OF POPIA

• When does POPIA apply?
• When does POPIA not apply?
• When did POPIA come into effect?
• Does POPIA apply retrospectively?

CHAPTER 4: WHO IS HELD ACCOUNTABLE FOR POPIA COMPLIANCE

• The role of ‘accountability’: A quick overview of who will be held liable
• When to determine accountability
• How to identify operators and what they are accountable for
• Identifying co-responsible parties
• How to distinguish employees from responsible parties and operators
• Some practical examples of how to apply the definitions

CHAPTER 5: INFORMATION SECURITY MANAGEMENT

• POPIA is not an IT project or (just) about cybersecurity
• Who is responsible for information security?
• What responsible parties must protect personal information against
• What does POPIA require of responsible parties?
• When the POPIA strikes the fan

CHAPTER 6: PROCESSING MUST BE FOR A LAWFUL PURPOSE

• Defining the purpose for processing
• Do any of the legal justifications apply?

CHAPTER 7: SPECIAL PERSONAL INFORMATION AND CHILDREN’S PERSONAL INFORMATION

• Identifying special personal information
• When will the processing of special personal information be authorised?
• Specific authorisations for certain types of special personal information
• Processing the personal information of children

CHAPTER 8: WHEN THE INFORMATION REGULATOR MUST BE APPROACHED FOR PRIOR AUTHORISATION

• When is prior authorisation required?
• How must the responsible party obtain prior authorisation?
• No prior authorisation is required by industries governed by a code of conduct
• Consequences of not obtaining prior authorisation 

CHAPTER 9: MINIMALITY AND INFORMATION QUALITY

• The role of minimality in data protection: The ‘less is more’ principle
• The relationship between minimality, information quality, information security and records management 
• Unpacking minimality
• How long is a piece of string: the quality standard required by POPIA

CHAPTER 10: COLLECTING AND CREATING PERSONAL INFORMATION

• Overview of collection
• Collecting personal information from the data subject directly (the default rule) 
• When collecting personal information from other sources will be justified
• Creating or generating personal information
• Some typical case studies

CHAPTER 11: NOTIFICATION TO DATA SUBJECTS

• About the condition of openness
• What do responsible parties need to disclose?
• When the notification should be made
• How the notification should happen
• Exceptions to the notification duty
• A comparison between POPIA and PAIA notification requirements
• Trust marks, privacy seals and POPIA certification

CHAPTER 12: FURTHER PROCESSING OF PERSONAL INFORMATION (SECONDARY USE)

• Why a further processing limitation?
• The role of the concept of compatibility in POPIA
• Assessing general compatibility with the original purpose
• When processing for a new purpose is automatically justified
• Further processing of personal information created by the responsible party
• Consequences of incompatibility

CHAPTER 13: ASSESSING SHARING PERSONAL INFORMATION BETWEEN ORGANISATIONS

• What do we mean by ‘sharing’?
• What does POPIA say about sharing
• How do the principles in POPIA apply to sharing?
• Information matching programmes
• Some typical sharing case studies

CHAPTER 14: TRANSBORDER INFORMATION FLOWS AND EXTRA-TERRITORIAL APPLICATION

• Transborder information flows
• Extra-territorial application of data protection laws
• Disclosing transborder information flows

CHAPTER 15: PROFILING, AUTOMATED DECISION-MAKING AND 1984

• What are profiling and automated decision-making?
• When automated decisions are allowed
• How the other principles in POPIA apply to profiling and automated decisions

CHAPTER 16: DIRECT MARKETING

• What to expect when you are expecting to spam
• What is direct marketing?
• What is electronic communication and why does it matter?
• Unsolicited direct marketing
• Electronic direct marketing to data subjects who are already customers
• Unsubscribing from direct marketing (and getting out of roach motels)
• Sending direct marketing on behalf of someone else
• What about other legislation that applies to direct marketing

CHAPTER 17: RECORDS MANAGEMENT

• What is a record?
• Destruction or de-identification of records
• Restriction of processing

CHAPTER 18: DATA SUBJECT RIGHTS

• Data subject request procedures
• The right to access your personal information
• The right to correct or delete personal information
• The right to withdraw consent
• The right to object to processing
• The right not to be subject to automated decision-making
• The right to object in relation to directories
• Does POPIA give data subjects the right to data portability?
• Rights that are discussed in other chapters

CHAPTER 19: ENFORCEMENT OF POPIA

• Is it a bird? Is it a plane? No, it’s the Information Regulator!
• The powers, duties and functions of the Information Regulator
• The status of guidance notes issued by the Regulator
• Codes of conduct
• Investigating complaints
• Investigations initiated by the Information Regulator
• Assessments by the Information Regulator
• Enforcement of PAIA: Here be dragons
• Offenses, penalties and fines
• Civil liability

CHAPTER 20: HOW TO IMPLEMENT A POPIA PROGRAMME

• An overview of a (POPIA) compliance framework
• Personal information impact assessments
• Internal measures to process requests for information or access thereto
• Providing training
• Privacy management software
• How on earth must a small business do this?

• Academics and training institutions
• Legal practitioners
• Risk managers
• Compliance officers
• IT professionals
• Information and data privacy officers