A data protection law generally gives a regulator powers:
▪ to send auditors or investigators out to visit organisations and check on their compliance with the law and
▪ to receive complaints from individuals about a possible failure to comply with the law and then to investigate it
Where the regulator elects to do only the latter, the regime is said to be a “complaints-based regime”. In fact, it is a “complaints-based enforcement model” for so long as the regulator elects not to adopt the more proactive – and resource-intensive – audit model.
It is very easy to think that ...