C&L_December 2017 (1)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Cover Story+<br />
Should there be strict liability on the data controller,<br />
either generally, or in any specific categories of processing,<br />
when well-defined harms are caused as a result of data<br />
processing?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.155<br />
Should the data controllers be required by law to take<br />
out insurance policies to meet their liability on account<br />
of any processing which results in harm to data subjects?<br />
Should this be limited to certain data controllers or certain<br />
kinds of processing?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q6/Pg.156]<br />
If the data protection law calls for accountability as<br />
a mechanism for protection of privacy, what would be<br />
impact on industry and other sector?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q7/Pg.156]<br />
What are the subject matters for which codes of practice<br />
or conduct may be prepared?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.160<br />
What is the process by which such codes of conduct or<br />
practice may be prepared? Specifically, which stakeholders<br />
should be mandatorily consulted for issuing such a code<br />
of practice?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.160]<br />
Who should issue such codes of conduct or practice?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.160]<br />
How should such codes of conduct or practice be<br />
enforced?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.160]<br />
What should be the consequences for violation of a code<br />
of conduct or practice?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.160]<br />
How should a personal data breach be defined?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.166]<br />
When should personal data breach be notified to the<br />
authority and to the affected individuals?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.166]<br />
What are the circumstances in which data breaches<br />
must be informed to individuals?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.166]<br />
What details should a breach notification addressed to<br />
an individual contain?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.166]<br />
Should a general classification of data controllers be<br />
made for the purposes of certain additional obligations<br />
facilitating compliance while mitigating risk?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.172]<br />
Should data controllers be classified on the basis of the<br />
harm that they are likely to cause individuals through<br />
their data processing activities?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q3/Pg.172]<br />
What are the factors on the basis of which such data<br />
controllers may be categorized?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools)/Q4/Pg.172]<br />
What are the circumstances when Data Protection<br />
Impact Assessments (DPIA) should be made mandatory?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection<br />
Impact Assessment)/Q2/Pg.173]<br />
Who should conduct the DPIA? In which circumstances<br />
should a DPIA be done (i) internally by the data controller;<br />
(ii) by an external professional qualified to do so; and<br />
(iii) by a data protection authority?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection<br />
Impact Assessment)/Q3/Pg.173]<br />
What are the circumstances in which a DPIA report<br />
should be made public?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection<br />
Impact Assessment)/Q4/Pg.173]<br />
Is there a need to make data protection audits mandatory<br />
for certain types of data controllers?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection<br />
Audit)/Q2/Pg.173]<br />
Should data audits be undertaken internally by the data<br />
controller, by a third party (external person/agency), or by<br />
a data protection authority?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection<br />
Audit)/Q4/Pg.173]<br />
Should it be mandatory for certain categories of data<br />
controllers to designate particular officers as DPOs for the<br />
facilitation of compliance and coordination under a data<br />
protection legal framework?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection<br />
officer)/Q2/Pg.174]<br />
What should be the qualifications and expertise of such<br />
a DPO?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection<br />
officer)/Q3/Pg.174]<br />
What should be the functions and duties of a DPO?<br />
[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection<br />
officer)/Q4/Pg.174]<br />
18 CIO&LEADER | <strong>December</strong> <strong>2017</strong>