When prioritising GDPR compliance, a wide variety of approaches are typically promoted such as beginning with a data inventory, a governance structure or conducting Data Protection Impact Assessments. The challenge with these traditional approaches is that not all organisations have the resources or the business case to begin their privacy management with these steps.

The approach to prioritising details in our vision is based on the concept of structured privacy management. Structured privacy management is a proven method for implementing an effective privacy management program that allows organisations to demonstrate an ongoing capacity to comply. It is founded on three elements: responsibility, ownership, and evidence.


Structured Privacy Management is enabling ongoing technical and organisational measures throughout the organisation, resulting in the ability to demonstrate evidence-based accountability and compliance


Accountability mechanisms include policies, procedures, guidelines, checklists, training and awareness activities, transparency measures, technical safeguards and other mechanisms that mitigate internal and external privacy risk.


In a structured approach to privacy management, responsibility means the appropriate technical and organisational measures have been implemented and are maintained on an ongoing basis, resulting in the creation of appropriate accountability measures.



The organisation maintains effective privacy management consisting of ongoing privacy management activities (technical and organisational measures)



An individual is accountable for the management and monitoring of privacy management activities (technical and organisational measures).



Documentation that is a by-product of accountability mechanisms is made available by the owner.


When accountability mechanisms are being maintained, documentation is produced. That documentation can be used as evidence of accountability, ownership and GDPR compliance. Evidence can be formal (e.g. policies, procedures) or informal (e.g. communications, workflows). When using a structured approach to GDPR Compliance, evidence is always a by-product of an accountability mechanism, e.g. evidence is not produced for the sake of documentation but because of an activity.


  • Employees: full or partial headcount
  • Buy-in or support from Executives / Senior Management
  • Other departments or groups such as internal Audit, Compliance, ERM
  • Shared Services (Info Sec, IT, Legal, Procurement)
  • External Consultants / Advisors / Auditors / Service Providers
  • Data Protection Authority


  • Workflows for approval / sign-off
  • Monitoring / Reviewing controls or mechanisms
  • Communications / Meetings
  • Training / knowledge sharing
  • Escalation paths


  • File / document sharing platforms
  • Collaboration tools
  • Information Security / Data Protection controls
  • ERP Systems
  • Ticketing Systems
  • E-learning Systems


  • Compliance research subscriptions
  • Subscription newsletters to stay informed
  • Templates and samples
  • Privacy management systems
  • Privacy / Risk / Compliance reporting software
  • PIA solutions
  • Rationalised rules table generators
  • Benchmarking solutions


Privacy is contextual, and thus, privacy management must be contextual. Therefore, there are no standard checklists to which a Privacy Officer can point and say, “We are responsible”. To articulate how the organisation’s data processing activities are carried out in compliance with the Rules (e.g. to demonstrate compliance), one must understand the activities themselves, the motivations behind them, how the Rules apply, along with many other factors. Privacy officers are uniquely positioned to demonstrate compliance and accountability. They have the expertise to interpret requirements, the knowledge to understand how they apply to each type of processing, and can communicate the context of compliance.

Privacy context includes:


Organisations in most jurisdictions are required to comply with privacy laws and regulations – over 770 privacy laws exist around the world. In addition, they must often comply with policies or other commitments such as privacy notices or codes of conduct. These requirements are collectively referred to as Rules. The Privacy Officer

understands the Rules and therefore can provide context for how they apply to each type of data processing.

Data Processing Practices

The Privacy Officer understands the organisation’s practices that involve the processing of personal data, including business operations and back office functions, such as human resources, marketing, and finance. Working with stakeholders throughout the organisation, the Privacy Officer can understand and provide context for how the Rules apply to organisational practices.

Privacy Management

The Privacy Officer understands the privacy management activities that have been implemented throughout the organisation and how they are maintained. Many decisions related to privacy management are influenced by theRules and how they apply to data processing. Explaining these decisions is a key element of providing context.

Privacy Risk

The Privacy Officer understands the risk of harm to individuals and to the organisation4. The Privacy Officer can explain how privacy risk can influence decisions related to which privacy management activities to implement and why. Related to privacy risk, another element of context is the decision to prioritise one risk mitigation activity over another, when resources are limited.

Consultancy client solutions

Privacy Strategic Program 

What is privacy program management? It is the structured approach of combining several disciplines into a framework that allows an organization to meet legal compliance requirements and the expectations of business clients or customers while reducing the risk of a data breach. The framework follows program management principles and considers privacy regulations from around the globe. It incorporates common privacy principles and implements concepts such as privacy by design and privacy by default.

The approach to prioritising details in our vision is based on the concept of structured privacy management. Structured privacy management is a proven method for implementing an effective privacy management program that allows organisations to demonstrate an ongoing capacity to comply. It is founded on three elements: responsibility, ownership, and evidence.

privacy strategic governance

Privacy Governance

Building a strong privacy program starts with establishing the appropriate governance of the Privacy Program. The term privacy governance will be used here to generally refer to the components that guide a privacy function toward compliance with privacy laws and regulations and enable it to support the organization organization’s broader business objectives and goals. These components include:

· Creating the organizational privacy vision and mission statement
· Defining the scope of the privacy program
· Selecting an appropriate privacy framework
· Developing the organizational privacy strategy
· Structuring the privacy team

privacy strategic governance

Incident Management Program

An incident management Program (IMP), sometimes called an incident response plan or emergency management plan, is a strategy that helps an organization return to normal as quickly as possible following an unplanned event. An IMP can identify weaknesses in a business, mitigate the impact of a variety of situations, and limit damage to an organization’s reputation, finances and operations. n incident management plan is used for:

• recognizing an incident;
• quickly assessing the situation;
• notifying people affected;
• organizing the response;
• documenting how to recover.

incident management program

Privacy by design and Privacy by default

When followed, the principles of PbD ensure that an organization establishes a culture of privacy as realized through the privacy framework, mission statement, training and awareness. The organization, having implemented a tactical strategy to reduce privacy-associated risks, may then be viewed favorably by its peer industry partners and consumers.

Article 25 from Chapter IV of the EU GDPR and Recital 78, articulate what is meant by data protection by design and default from an EU perspective.

They are highly similar in concept and in goal: that information privacy should be built in to the design process and not added on as an afterthought.

privacy strategic governance