Countries with privacy legislation use a variety of enforcement mechanisms that are constantly evolving. For some, a Privacy Regulator is appointed. For others, there are civil and / or criminal penalties (Baker & McKenzie & International Association of Privacy Professionals, 2012). For example, in Canada the Office of the Privacy Commissioner / Ontario was enacted under the provincial privacy legislation. In Hong Kong, there are criminal penalties for direct marketing.
In order to comply with legislation, named organizations create a variety of policies, standards and procedures. In some countries, the legislation specifies the need for a Chief Privacy Officer (CPO) role such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) section 4.1.
In other organizations, privacy is part of another group (security, compliance or legal for example). Organizational policies are typically managed through traditional program management procedures that are not specific to privacy; for example, accountable person, budget assigned, a program of regular training and awareness (American Institute of Certified Public Accountants, Generally Accepted Privacy Principles).
Together, these activities make up a privacy management program run by the CPO (or equivalent). Once the program is up and running, there are several mechanisms that may be used to evaluate not only the efficacy of the day-to-day operations but also identify any new potential privacy impacts to data subjects (as required under legislation).
Typically, a data subject would have no visibility or transparency to organizational privacy practices unless required by legislation. Data subjects face an increasingly complex computational environment that they must negotiate in order to adequately protect themselves. In parallel, both Government and private sector organizations face increased external scrutiny from the press and regulatory bodies around the world.
While there are some technical and policy solutions, to date there is no codified and / or institutionalized mechanism for representing privacy to a data subject.