Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · H.R. 8818 (Introduced in House) — To provide Americans with foundational data privacy rights, create strong oversight mechanisms, and establish meaning... · Sec. 110

Sec. 110. Executive responsibility

662 words·~3 min read·/bill/118/hr/8818/ih/section-110·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A covered entity or service provider (except for a large data holder) shall designate 1 or more qualified employees to serve as privacy and data security officers. An employee who is designated by a covered entity or service provider as a privacy and data security officer shall, at a minimum— implement a data privacy program and a data security program to safeguard the privacy and security of covered data in compliance with the requirements of this title; and facilitate the ongoing compliance of the covered entity or service provider with this title.
A covered entity or service provider that is a large data holder shall designate 1 qualified employee to serve as a privacy officer and 1 qualified employee to serve as a data security officer. Beginning on the date that is 1 year after the date of the enactment of this Act, the chief executive officer of a large data holder (or, if the large data holder does not have a chief executive officer, the highest ranking officer of the large data holder) and each privacy officer and data security officer of such large data holder designated under paragraph (1), shall annually certify to the Commission, in a manner specified by the Commission, that the large data holder implements and maintains— internal controls reasonably designed, implemented, maintained, and monitored to comply with this title; and internal reporting structures (as described in paragraph (3)) to ensure that such certifying officers are involved in, and responsible for, decisions that impact compliance by the large data holder with this title.
A certification submitted under subparagraph
(A)shall be based on a review of the effectiveness of the internal controls and reporting structures of the large data holder that is conducted by the certifying officers not more than 90 days before the submission of the certification. At least 1 of the officers designated under paragraph
(1)shall, either directly or through a supervised designee— establish practices to periodically review and update, as necessary, the privacy and security policies, practices, and procedures of the large data holder; conduct biennial and comprehensive audits to ensure the policies, practices, and procedures of the large data holder comply with this title and, upon request, make such audits available to the Commission; develop a program to educate and train employees about the requirements of this title; maintain updated, accurate, clear, and understandable records of all significant privacy and data security practices of the large data holder; and serve as the point of contact between the large data holder and enforcement authorities. Not later than 1 year after the date of the enactment of this Act or 1 year after the date on which an entity first meets the definition of the term large data holder , whichever is earlier, and biennially thereafter, each large data holder shall conduct a privacy impact assessment that weighs the benefits of the covered data collection, processing, retention, and transfer practices of the entity against the potential adverse consequences of such practices to individual privacy. A privacy impact assessment required under subparagraph
(A)shall be— reasonable and appropriate in scope given— the nature and volume of the covered data collected, processed, retained, or transferred by the large data holder; and the potential risks posed to the privacy of individuals by the collection, processing, retention, and transfer of covered data by the large data holder; documented in written form and maintained by the large data holder for as long as the relevant privacy policy is required to be retained under section 104(f)(1); and approved by the privacy officer of the large data holder. In assessing privacy risks for purposes of an assessment conducted under subparagraph (A), including significant risks of harm to the privacy of an individual or the security of covered data, the large data holder shall include reviews of the means by which technologies, including blockchain and distributed ledger technologies and other emerging technologies, including privacy enhancing technologies, are used to secure covered data.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.