A data protection organisation, which understands current risks and capabilities, exists to protect people’s information rights.
Most G20 countries have a data protection regulator. Most of these are a stand-alone organisation with jurisdiction over overall data protection matters in that country.
In Canada, there are regional offices for the data protection regulator.
Some countries without a data protection regulator delegate this area of responsibility to government ministries. For example, in China responsibility is split between Ministry of Industry and Information Technology and the State Administration for Industry and Commerce.
Japan: The Consumer Affairs Agency delegates and oversees the implementation of the Act on the Protection of Personal Information (PDF) by government departments. The government department is responsible for data protection in their area, for example, the protection of medical data by the Ministry of Health, Labour and Welfare.
Australia: The Office of the Australian Information Commissioner enforces wider privacy law, but the Spam Act, that regulates unsolicited communications, is enforced by the telecoms regulator, the Australian Communications and Media Authority.
Jurisdiction between different government departments could be unclear.
Loose definitions of personal data could allow data controllers to take advantage of gaps of coverage.
Insufficient technical ability or understanding in the organisation.