C&L_December 2017 (1)

Cover Story+ 

Should there be strict liability on the data controller, 

either generally, or in any specific categories of processing, 

when well-defined harms are caused as a result of data 

processing? 

[Part IV/Ch. 2 (Accountability and enforcement tools)/Q5/Pg.155 

Should the data controllers be required by law to take 

out insurance policies to meet their liability on account 

of any processing which results in harm to data subjects? 

Should this be limited to certain data controllers or certain 

kinds of processing? 

[Part IV/Ch. 2 (Accountability and enforcement tools)/Q6/Pg.156] 

If the data protection law calls for accountability as 

a mechanism for protection of privacy, what would be 

impact on industry and other sector? 


What are the subject matters for which codes of practice 

or conduct may be prepared? 

[Part IV/Ch. 2 (Accountability and enforcement tools)/Q2/Pg.160 

What is the process by which such codes of conduct or 

practice may be prepared? Specifically, which stakeholders 

should be mandatorily consulted for issuing such a code 

of practice? 


Who should issue such codes of conduct or practice? 


How should such codes of conduct or practice be 

enforced? 


What should be the consequences for violation of a code 

of conduct or practice? 


How should a personal data breach be defined? 


When should personal data breach be notified to the 

authority and to the affected individuals? 


What are the circumstances in which data breaches 

must be informed to individuals? 


What details should a breach notification addressed to 

an individual contain? 


Should a general classification of data controllers be 

made for the purposes of certain additional obligations 

facilitating compliance while mitigating risk? 


Should data controllers be classified on the basis of the 

harm that they are likely to cause individuals through 

their data processing activities? 


What are the factors on the basis of which such data 

controllers may be categorized? 


What are the circumstances when Data Protection 

Impact Assessments (DPIA) should be made mandatory? 

[Part IV/Ch. 2 (Accountability and enforcement tools: Data Protection 

Impact Assessment)/Q2/Pg.173] 

Who should conduct the DPIA? In which circumstances 

should a DPIA be done (i) internally by the data controller; 

(ii) by an external professional qualified to do so; and 

(iii) by a data protection authority? 



What are the circumstances in which a DPIA report 

should be made public? 



Is there a need to make data protection audits mandatory 

for certain types of data controllers? 

[Part IV/Ch. 2 (Accountability and enforcement tools: Data protection 

Audit)/Q2/Pg.173] 

Should data audits be undertaken internally by the data 

controller, by a third party (external person/agency), or by 

a data protection authority? 


Audit)/Q4/Pg.173] 

Should it be mandatory for certain categories of data 

controllers to designate particular officers as DPOs for the 

facilitation of compliance and coordination under a data 

protection legal framework? 


officer)/Q2/Pg.174] 

What should be the qualifications and expertise of such 

a DPO? 



What should be the functions and duties of a DPO? 



18 CIO&LEADER | December 2017

Previous page

Next page

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

C&amp;L_December 2017 (1)

Create successful ePaper yourself

Delete template?

Save as template?

C&L_December 2017 (1)