Self-regulation refers to stakeholder-based models for ensuring privacy. The term “self-regulation” can refer to any or all of three pieces: legislation, enforcement and adjudication. Legislation refers to question of who defines privacy rules. For self-regulation, this typically occurs through the privacy policy of a company or other entity, or by an industry association. Enforcement refers to the question of who should initiate enforcement action. Actions may be brought by data protection authorities, other government agencies, industry code enforcement or, in some cases, the affected individuals. Finally, adjudication refers to the question of who should decide whether an organization has violated a privacy rule. The decision maker can be an industry association, a government agency or a judicial officer. These examples illustrate that the term “self-regulation” covers a broad range of institutional arrangements. For a clear understanding of data privacy responsibilities, privacy professionals should consider who defines the requirements, which organization brings enforcement action and who actually makes the judicial decisions.