Privacy management: the different lines of privacy governance

October 11, 2021

Since the arrival ofthe General Data Protection Regulation (GDPR), organisations have put theregister of processings in order, written procedures and checklists, ensured transparent information for those involved and made an effort to raise awareness of the major issue of 'privacy' among employees. And now? This may come as a shock: the GDPR is not a checklist that an organisation can tick off. Privacy, and with it the GDPR, is a subject that lives and must live continuously within an organisation.

Securing the GDPR in an organisation stands or falls with privacy management. Good privacy management is not possible without the support of managers and the board of directors. Nor without the time, capacity and training that employees are given, whereby part of the GDPR implementation is covered. Without privacy management, these steps are null and void. The upcoming blog series dives deeper into the subject of privacy management.

This blog focuses on the concept of privacy governance. Privacy governance is an important part of privacy management. This blog explains what privacy governance is, what privacy governance can look like and highlights the importance of support, time and capacity.

What is privacy governance?

Privacy governance means that the tasks and responsibilities arising from the GDPR are arranged for and embedded throughout the organisation. It is an illusion that the GDPR is only a task of Legal Affairs or that it is only a task of the privacy officer. This is not the case, as the GDPR affects all facets of an organisation. It is therefore logical that the entire organisation must do something with the GDPR. Of course, the type and size of the organisation, which (special) personal data and the quantity of personal data you process play a role in the interpretation of privacy governance, but no matter how large or small, every organisation must start working with privacy governance.

Privacy governance in practice

Privacy governance can be divided into several lines, namely 1st, 2nd and 3rd line. The 1st line are the employees who are the first point of contact about GDPR within the departments or teams. The second line is the privacy officer and the third line is (if the organisation has one) the data protection officer (DPO).

It is important to put the various tasks and functions of the 1st, 2nd and 3rd line on paper, so that it is clear who is responsible for what task and what a function entails. It is also important that the organisation knows how privacy governance is set up within the organisation and who can be contacted for privacy-related questions.

Involve someone from each department where personal data is processed (and where relevant) to act as a point of contact (also called GDPR Hero, privacy ambassador, GDPR point of contact, privacy champion etc.) for the GDPR and to act as the eyes and ears of a department.Think for example of HR, IT, marketing, and finance. It is very important that they understand the importance of the GDPR and their function. One way of achieving this is by organising workshops or awareness sessions.  

An important role that is often forgotten is the role of communication. If, for example, the data breach process has finally been completed, how do you ensure that the employees are aware of this and actually know what to do with it? Employees are often not eager to read those 20 pages of policy. The communication department can be of great help to an organisation in making the document even more readable and clear, and in creating a fact sheet or a "flyer" together, which contains the most important points of the process and which employees have to deal with in practice. In this way, the most important points of the process are made manageable and you ensure that more employees understand what is expected of them.

Importance of support, time and capacity

Without the support,time and capacity of the management and board, the GDPR often are processes and policy documents on paper that few employees can do anything with. It is therefore important that the tasks and responsibilities are defined formally orinformally. And that the tasks in the GDPR are not something that is added to all kinds of other tasks, but that they really become part of someone's daily work method. In practice, it is often the case that if this does not become part of the daily routine, the subject of GDPR often ends up at the bottom of the to-do list. And that is a terrible shame after all the GDPR implementation steps that were taken before.

If your organisation needs help in setting up the tasks from the GDPR, please do not hesitate to contact us! Mail us at

More about the roles and tasks of the 1st, 2nd and 3rd line within privacy governance in the next blog!