There are a number of models. I would have a hard time identifying one model as the best option.
For example, the European model sets out the key privacy expectations of necessity, proportionality and transparency. It gives a prominent role to privacy organizations. In addition, this model requires other countries to have a proper system in place. These countries are assessed. Canada has recently been granted the status of a country that ensures a proper level of protection. This model makes sure that these criteria are strictly enforced.
Other countries have reached agreements or signed treaties to this end. Quebec adopted Law 25. This legislation requires a privacy impact assessment if data is shared outside Quebec.
These are all examples of discipline and rigour. We must think about privacy from the outset, as soon as we come up with an initiative, as soon as we decide to use a tool.