Effective Enforcement of a Data Protection: A Model for Risk-Based Supervision Using Responsive Regulatory Tools

This paper presents ideas for a new approach to enforcement of a data protection regime, based on risk-based supervision and the use of a range of responsive enforcement tools that could be deployed in advance of a breach to prevent it, or after a breach to mitigate the effects. Building on the risk-based approach to supervision, the model proposes a methodology to identify those entities that potentially pose more risk (to individuals and the system) when the personal data they hold is compromised.

Part 2 of this paper proposes a risk-based framework to identify and classify entities based on the risk they pose when the personal data they hold is compromised, using both qualitative and quantitative components. Part 3 sets out an enforcement toolkit for data protection, guided by the paradigm of responsive regulation (that also employs ex ante tools) to prevent and mitigate the effects of a compromise of personal data. This approach is a departure from the post-data breach sanctions that currently dominate data protection regimes worldwide. Part 4 sets out the features of institutional design and inter-sectoral coordination required for effective implementation of such a model approach for risk-based supervision and enforcement of data protection rights.