You've been asked to build a privacy program. Maybe you're a newly appointed DPO, a compliance lead at a growing startup, or a CTO who just realized that your Series B investors care about GDPR. Either way, you're starting from near zero and need a plan.
This roadmap is built for practitioners, not consultants. It prioritizes the actions that create the most compliance value earliest, acknowledges that resources are limited, and focuses on building sustainable practices rather than generating one-time documents that gather dust.
Phase 1: Assessment (Weeks 1-2)
Before you build anything, understand what you're working with.
Map Your Data Processing
Interview each department or team lead. Ask:
- What personal data do you collect?
- Why do you collect it?
- Where is it stored? (System names, not vague references)
- Who has access?
- How long do you keep it?
- Do you share it with anyone outside the organization?
This doesn't need to be perfect on the first pass. A 70% complete data inventory created in two weeks is more valuable than a 100% complete inventory that takes six months.
Identify Your Legal Obligations
Based on your data mapping, determine which laws apply:
- Where are your data subjects? EU residents → GDPR. California residents → CCPA. And so on.
- What type of data do you process? Special categories (health, biometric, racial/ethnic data) trigger additional requirements.
- Do you need a DPO? Mandatory under GDPR for public authorities and organizations whose core activities involve large-scale monitoring or processing of special category data.
Assess Current State
Document what exists today:
- Is there a privacy policy? Is it accurate?
- Are there Data Processing Agreements with vendors?
- Has anyone ever received a DSAR? How was it handled?
- What security measures are in place?
- Are there any open complaints or regulatory inquiries?
This assessment becomes your baseline. Everything you build is measured against it.
Phase 2: Foundation (Weeks 3-6)
Build the minimum viable compliance infrastructure.
Priority 1: Data Inventory
Formalize your assessment into a structured data inventory. For each system:
| Field | Example |
|---|---|
| System name | Salesforce CRM |
| Data types | Name, email, phone, company, purchase history |
| Legal basis | Contract performance |
| Purpose | Customer relationship management |
| Retention period | 3 years after last activity |
| Processor/controller | Processor (Salesforce Inc.) |
| DPA status | Signed |
| Data location | EU (Frankfurt) |
This inventory is the foundation everything else builds on. DSAR fulfillment, retention management, and Deal Pack generation all reference it.
Priority 2: Privacy Policy
Write (or rewrite) your privacy policy to accurately reflect your current processing activities. Cover every Article 13/14 requirement. Keep the language clear and specific.
Don't try to anticipate future processing. Document what you do today. Update it when things change.
Priority 3: DSAR Process
Define how you'll handle data subject requests:
- Intake: Where do requests arrive? (Email, form, phone, social media) → Central collection point
- Identity verification: How do you confirm the requester is who they claim to be?
- Search and compilation: Which systems need to be searched? Who does it?
- Review: Who reviews the compiled data before sending?
- Response delivery: How is the response sent? What format?
- Evidence capture: How is each step documented?
Document this process. Train anyone who might receive a DSAR (which is potentially anyone in customer-facing roles).
Priority 4: Data Processing Agreements
Audit your vendor list against your data inventory. Any vendor processing personal data on your behalf needs a DPA. Most major vendors (AWS, Google, Microsoft, Salesforce, etc.) have standard DPAs available online.
Priority order:
- Cloud infrastructure providers (highest risk, largest data exposure)
- CRM and marketing tools (contain customer data)
- HR and payroll systems (contain employee data)
- Analytics and monitoring tools
- Everything else
Phase 3: Operationalize (Weeks 7-12)
Turn your foundation into running processes.
Retention Implementation
For each entry in your data inventory:
- Define a specific retention period with a clear legal or business justification
- Identify the deletion trigger (account closure, contract end, consent withdrawal, time elapsed)
- Determine whether automated deletion is possible in the system
- Set a verification schedule (monthly, quarterly, annually depending on risk)
Start verifying. The first cycle will reveal gaps — systems that don't support automated deletion, data that's older than the retention period, categories where no one has defined a retention period.
DSAR Test Run
Before a real DSAR arrives, simulate one:
- Submit a test request through your intake channel
- Follow your documented process step by step
- Time each stage
- Identify bottlenecks (a system that requires IT to extract data, a department that doesn't respond)
- Capture evidence as if it were a real request
- Review the output: would this satisfy a regulator?
This exercise reveals process gaps far more effectively than reviewing the documentation alone.
Employee Training
Train three audiences:
- All employees: What is personal data? What are data subject rights? Where to route DSAR requests? (30-minute session)
- Data handlers: How to handle personal data safely. Access controls, sharing restrictions, reporting incidents. (1-hour session)
- DSAR responders: Full process training, identity verification, search procedures, evidence capture. (Half-day session)
Document attendance. Training records are frequently requested during audits and due diligence.
Incident Response Plan
Before a breach happens:
- Define what constitutes a "personal data breach" (not just cyberattacks — a misdirected email counts)
- Identify who needs to be notified internally (DPO, legal, IT, management)
- Prepare a 72-hour notification template for the supervisory authority
- Define criteria for when data subjects must be notified
- Designate who makes the notification decision
- Test the plan with a tabletop exercise
Phase 4: Mature (Months 3-6)
Evidence Capture
Move from ad hoc documentation to systematic evidence capture:
- DSAR handling: timestamp every step, capture screenshots of searches and deliveries
- Retention verification: evidence showing data state at verification time
- Configuration evidence: screenshots of privacy-relevant system settings
- Training evidence: attendance records, completion certificates
Where possible, hash-lock evidence at the point of capture. SHA-256 hashing creates a tamper-proof record that can be independently verified.
Metrics and Monitoring
Start measuring your program's performance:
- DSAR response time: Average days from receipt to response
- Retention compliance rate: Percentage of rules verified on schedule
- DPA coverage: Percentage of processors with signed agreements
- Training completion: Percentage of employees trained in the current period
- Incident response time: Time from detection to assessment
Publish these internally. Review them monthly. Share them with leadership quarterly.
Continuous Improvement
Schedule regular reviews:
- Monthly: DSAR metrics, open items, upcoming deadlines
- Quarterly: Data inventory review, retention verification cycle, DPA status
- Annually: Full privacy policy review, comprehensive program assessment, training refresh
Each review should produce documented outputs: what was reviewed, what was found, what actions were taken.
Common Pitfalls
Starting with the Policy
Many organizations start by writing a privacy policy. This puts the cart before the horse. You can't write an accurate privacy policy without first mapping your data processing. Start with the inventory.
Treating It as a One-Time Project
A privacy program built as a project — with a start date, deliverables, and a finish date — will be compliant on day one and deteriorating by day thirty. Build ongoing processes, not documents.
Over-Engineering
You don't need a EUR 100,000 privacy management platform on day one. A structured spreadsheet for your data inventory, a shared document for your DSAR process, and a calendar for verification deadlines will take you through Phase 2. Invest in tooling once you understand your processes well enough to know what you need.
Ignoring the Human Element
Technical controls and policies don't create compliance. People do. A privacy program that exists in documents but isn't understood by the people who handle data every day is theater. Invest in training and communication disproportionate to what you think is necessary.
Measuring Program Maturity
Use a simple maturity model to track progress:
| Level | Description |
|---|---|
| 1 - Initial | No formal program. Reactive handling of privacy issues. |
| 2 - Developing | Privacy policy exists. DSAR process defined. Some DPAs in place. |
| 3 - Defined | Data inventory complete. Retention schedule defined. Regular training. Evidence capture for key processes. |
| 4 - Managed | Metrics tracked and reviewed. Systematic evidence capture. Regular verification cycles. Continuous improvement loop. |
| 5 - Optimized | Hash-locked evidence vault. Deal Pack generation capability. Published transparency metrics. Privacy as competitive advantage. |
Most organizations should aim to reach Level 3 within six months and Level 4 within a year. Level 5 is where privacy stops being a cost center and starts generating business value.
The organizations that build effective privacy programs share one characteristic: they start. Not with a perfect plan, not with the right tools, not with enough budget — but with the first data inventory entry, the first documented DSAR response, and the first retention verification. Everything else builds from there.