In the previous chapters we have discussed the details on how to document and measure privacy in a mid/large company. However, on key aspect is always governance.

A short definition of governance is: making decisions and then assuring they follow compliance mechanisms via strong organizational and operational metrics. The functional parts of a governance structure are:

1. Organizational model: The purpose and the structure of the body that manages and partitions responsibilities for each company priority area across the different organizational entities -- corporate, functional groups, and geographies

2. Decision making: Definition of the decision making and funding processes for on-going planning and management of privacy activities

3. Process and people: Infrastructure and capabilities for pre and post-deployment support

Typically, in the field of GDPR you have the following roles/people:

1. DPO (Data protection officer): is the point of contact for the body of authority and normally issues recommendations and best practice for the rest of the organisation.

2. Controller: is the responsible for processing privacy data and in this model, we have allocated the process owner. The reason is two folded 1) privacy is a business issue not and IT issue 2) each process owner has the means and purpose of the actual data processing.

3. Processor: is responsible for processing data given by the controller. In our model we do not have that role. The reason is that it normally is the same as the controller from a governance point of view, however limited to what the controller has given permission to execute.