Product & Team Playbooks

Table of Content

Table of Content

Table of Content

Run vendor and feature launch reviews

Every new vendor integration and product feature can introduce compliance risks. GDPR and CPRA require companies to evaluate privacy impacts before launch, ensuring data protection obligations are addressed up front.

Run Vendor and Feature Launch Reviews

Every new vendor integration and product feature can introduce compliance risks. GDPR and CPRA require companies to evaluate privacy impacts before launch, ensuring data protection obligations are addressed up front.

Vendor Reviews

  • Verify if the vendor processes personal data.

  • Review and sign a Data Processing Agreement (DPA).

  • Assess security certifications (ISO 27001, SOC 2).

  • Confirm data residency and transfer safeguards.

Feature Launch Reviews

  • Document what data will be collected and why.

  • Identify the lawful basis or CPRA obligation (consent, opt-out, limitation).

  • Run a Data Protection Impact Assessment (DPIA) for high-risk features.

  • Validate that retention and deletion rules are in place.

Transparency and Communication

  • Update privacy policy to reflect new vendors or features.

  • Provide clear user-facing notices when new data is collected.

  • Ensure customer support has scripts to explain changes if asked.

Example: Adding a New Analytics Tool

Before integrating a third-party analytics SDK:

  • Vendor review confirms DPA and encryption controls.

  • Feature review documents lawful basis for analytics.

  • Privacy policy updated to list the new vendor.

  • Users see a banner with updated cookie choices.

Implementing Reviews in Practice

Vendor review checklist snippet

vendor_review:
  - Does vendor process personal data?
  - DPA signed and on file?
  - Security certifications reviewed?
  - Data transfer safeguards in place

Feature launch review template

feature_name: New Recommendation Engine
data_collected: purchase history, clicks
purpose: improve personalization
lawful_basis: consent
retention: 12 months
privacy_reviewed_by: DPO

Automated reminder

# Monthly reminder to review vendor and feature launches
0 10 1 * * ./send_privacy_review_reminder.sh

Quick Review Checklist

  • Review all vendors for DPAs, security, and transfers

  • Document data collected by new features and lawful bases

  • Perform DPIAs for high-risk or sensitive processing

  • Update privacy policies and user notices as needed

  • Log reviews for audits and accountability

Conclusion

Running vendor and feature launch reviews ensures privacy risks are caught early rather than after deployment. By making these reviews routine, companies prevent compliance gaps, protect users, and streamline audits with well-documented decisions.

Update customer policies regularly

Update customer policies regularly

Update customer policies regularly

Apply privacy in product design

Apply privacy in product design

Apply privacy in product design