AI Governance: GDPR Pt 4 DPIA | IAPP

Key Takeaways

Small teams need lightweight, actionable governance — not enterprise-grade bureaucracy
A one-page policy baseline is enough to start; iterate from there
Assign one policy owner and hold a weekly 15-minute review
Data handling and prompt content are the top risk areas
Human-in-the-loop is required for high-stakes decisions

This playbook section helps small teams implement AI governance with a clear policy baseline, practical risk controls, and an execution-friendly checklist. It's designed for teams that need to move fast while still meeting basic compliance and risk expectations.

If you only do three things this week: publish an "allowed vs not allowed" policy, name an owner, and set a short review cadence to keep usage visible and intentional.

Governance Goals

For a lean team, governance goals should translate directly into day-to-day behaviors: what people can do, what they must not do, and what they need approval for.

Reduce avoidable risk while preserving team velocity
Make "approved vs not approved" usage explicit
Provide lightweight review ownership and cadence
Keep a paper trail (decisions, incidents, exceptions) without slowing delivery

Risks to Watch

Most small teams underestimate "silent" risks: sensitive data in prompts, untracked tools, and decisions made from model output that never get reviewed.

Data leakage via prompts or outputs
Over-trusting model output in production decisions
Untracked shadow AI usage
Vendor/tooling sprawl without a risk owner or inventory

Controls (What to Actually Do)

Start with controls that are cheap to run and easy to explain. Each control should have a clear owner and a lightweight cadence.

Create an AI usage policy with allowed use-cases (and a short "not allowed" list)
Define what data is allowed in prompts (and what requires redaction or approval)
Run a weekly risk review for high-impact prompts and workflows
Require human sign-off for any customer-facing or high-stakes outputs
Define escalation + incident response steps (who to notify, what to log, how to pause use)

Checklist (Copy/Paste)

Identify high-risk AI use-cases
Define what data is allowed in prompts
Require human-in-the-loop for critical decisions
Assign one policy owner
Review results and update controls
Keep a simple inventory of AI tools/vendors and owners
Add a "safe prompt" template and a redaction workflow
Log incidents and near-misses (even if informal) and review monthly

Implementation Steps

Draft the policy baseline (1–2 pages)
Map incidents and near-misses to checklist updates
Publish the updated policy internally
Create a lightweight review cadence (weekly 15 minutes; quarterly deeper review)
Add a short approval path for exceptions (who can approve, how it's documented)

Frequently Asked Questions

Q: What is AI governance? A: It is a framework for managing AI use, risk, and compliance within a small team context.

Q: Why does AI governance matter for small teams? A: Small teams face the same AI risks as enterprises but with fewer resources, making lightweight governance frameworks critical.

Q: How do I get started with AI governance? A: Start with a one-page policy baseline, identify your highest-risk AI use-cases, and assign a policy owner.

Q: What are the biggest risks in AI governance? A: Data leakage via prompts, over-reliance on model output, and untracked shadow AI usage.

Q: How often should AI governance controls be reviewed? A: A weekly lightweight review is recommended for high-impact use-cases, with a full policy review quarterly.

References

IAPP. "Top 10 Operational Responses to the GDPR – Part 4: Data Protection Impact Assessments and Data Protection by Default and by Design." https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-4-data-protection-impact-assessments-and-data-protection-by-default-and-by-design
NIST. "Artificial Intelligence." https://www.nist.gov/artificial-intelligence
OECD. "AI Principles." https://oecd.ai/en/ai-principles
ISO. "ISO/IEC 42001:2023 – Artificial Intelligence Management System." https://www.iso.org/standard/81230.html
ICO. "Artificial Intelligence – Guidance for organisations." https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/
ENISA. "Artificial Intelligence – Cybersecurity." https://www.enisa.europa.eu/topics/cybersecurity/artificial-intelligence## Practical Examples (Small Team)

Below are three end‑to‑end scenarios that illustrate how a lean AI‑focused team can embed a privacy impact assessment (PIA) into its product lifecycle without adding prohibitive overhead. Each example includes a concise checklist, a "who‑does‑what" matrix, and a short script you can copy‑paste into your project management tool (e.g., Asana, Trello, Jira).

1. New Feature: Automated Customer Sentiment Scoring

Phase	Action	Owner	Artefact
Ideation	Draft a one‑page "privacy hypothesis" that states what personal data will be collected, why it is needed, and the expected benefit.	Product Manager	Privacy hypothesis doc (Google Doc)
Design	Conduct a privacy impact assessment using the "5‑question PIA template" (see Tooling section).	Data Engineer + Privacy Lead	Completed PIA checklist
Development	Implement data‑minimisation: store only sentiment scores, discard raw text after processing.	Backend Engineer	Code comment `# PI: discard raw text after 24h`
Testing	Run a "privacy test suite" that verifies raw text is not persisted beyond the retention window.	QA Engineer	Test report (JUnit XML)
Launch	Publish a short "privacy notice" in the UI and update the internal data‑registry.	UX Designer	UI copy and data‑registry entry
Post‑Launch	Schedule a 30‑day review to confirm the PIA assumptions still hold.	Privacy Lead	Review log entry

Checklist for the PIA (5‑question template)

What data? Identify each data element (e.g., raw text, sentiment score, user ID).
Why needed? Map to a legitimate business purpose (e.g., improve support routing).
Legal basis? Record the GDPR article (e.g., Art. 6(1)(f) – legitimate interests).
Risk level? Rate high/medium/low for re‑identification, profiling, or discrimination.
Mitigations? List concrete controls (encryption, pseudonymisation, retention limits).

One‑page script for Jira (copy‑paste)

Task: Privacy Impact Assessment – Sentiment Scoring Feature
Assignee: @privacy-lead
Due: +5d
Description:
- Fill out the 5‑question PIA template (link)
- Attach the completed checklist to this ticket
- Tag @product‑manager and @backend‑engineer for review

2. Retrospective PIA for an Existing Data‑Pipeline

Many small teams inherit pipelines that were built before GDPR awareness. The following "quick‑audit" routine can be run in a single sprint:

Inventory – Export the pipeline's schema from the data‑catalog and list all personal identifiers.
Gap analysis – Compare the list against the organization's data‑registry; flag any missing entries.
Risk scoring – Use the "risk matrix" (see Tooling) to assign a score (1‑5) for each identifier.
Remediation plan – For scores ≥ 3, create a ticket to add pseudonymisation or delete the field.
Sign‑off – The Privacy Lead signs the "retro‑PIA" document; the Engineering Lead signs the remediation plan.

Owner matrix

Role	Responsibility
Data Engineer	Export schema, add pseudonymisation code
Privacy Lead	Conduct gap analysis, assign risk scores
Engineering Lead	Approve remediation plan, allocate sprint capacity
Compliance Officer	Verify that the retro‑PIA meets audit requirements

3. Cross‑Team AI Model Release with "Privacy by Design"

When an AI model is trained on user data, the following steps embed privacy from day one:

Data‑source approval – Only approved data‑sets (catalogued, consent‑tracked) may be used.
PIA kickoff meeting – 30‑minute stand‑up with the model owner, data scientist, and privacy lead.
Design‑time controls –
- Use differential privacy libraries (e.g., Opacus, TensorFlow Privacy).
- Enforce "feature‑level access control" in the training pipeline.
Documentation – Record the privacy controls in the model card (section "Privacy Impact").
Release gate – The privacy lead must sign off the model card before the model is promoted to production.

One‑page checklist for model releases

Data source listed in the data‑registry with consent evidence
PIA completed and attached to the model repository
Differential privacy budget documented (ε value)
Access control list (ACL) reviewed and approved
Model card updated with "Privacy Impact" section

By following these concrete, repeatable patterns, a small team can keep GDPR compliance tight while still moving fast on AI initiatives.

Metrics and Review Cadence

Operationalizing privacy is not a one‑off activity; it requires ongoing measurement and a predictable review rhythm. Below are the core metrics you should track, how to visualise them, and a cadence that fits a typical two‑week sprint cycle.

1. Core Privacy Metrics

Metric	Definition	Target	Data Source	Frequency
PIA Completion Rate	% of new features that have an attached privacy impact assessment before code freeze.	≥ 95 %	Jira/Asana tickets (label "PIA")	Sprint end
Risk‑Score Distribution	Histogram of risk scores (1‑5) across all active data‑flows.	≤ 10 % of flows scoring 4‑5	Data‑registry + risk matrix	Monthly
Data‑Retention Violations	Number of records found persisting beyond defined retention windows.	0	Automated audit script (SQL)	Weekly
Privacy Incident Response Time	Median time from detection to containment of a privacy‑related incident.	≤ 48 h	Incident‑management system	Quarterly
Training‑Data Consent Coverage	% of training data rows with documented, valid consent.	≥ 99 %	Consent‑ledger	Quarterly

Visualisation tip: Use a simple dashboard in Google Data Studio or PowerBI with a "privacy health score" that aggregates the above metrics (weighted 30 % PIA completion, 30 % risk distribution, 20 % retention, 10 % incident time, 10 % consent coverage). The score can be displayed as a traffic‑light gauge (green ≥ 80, amber ≥ 60, red < 60).

2. Review Cadence Blueprint

Cadence	Meeting	Participants	Agenda Items	Output
Weekly (Operational)	Privacy Ops Stand‑up (15 min)	Privacy Lead, Data Engineer, Scrum Master	- Review new

Practical Examples (Small Team)

When a lean AI team of three to five people needs to run a privacy impact assessment (PIA) without pulling in a full‑time legal department, the process must be both lightweight and auditable. Below is a step‑by‑step playbook that can be completed in a single sprint (2 weeks) and repeated for each new data‑driven feature.

Step	Owner	Action	Artefact
1️⃣ Define scope	Product Owner	List the data flows that the new feature will touch (ingestion, storage, model training, inference). Include third‑party APIs and any cross‑border transfers.	"Scope Sheet" (one‑page table)
2️⃣ Identify privacy risks	Data Engineer	Map each flow to the GDPR risk categories (unauthorised access, excessive retention, profiling, etc.). Use the IAPP risk matrix as a quick reference.	Risk Register (Excel/Google Sheet)
3️⃣ Apply privacy‑by‑design controls	Lead Engineer	For each high‑risk item, select a mitigation (e.g., pseudonymisation, differential privacy, access‑role restriction). Record the control, its implementation status, and any trade‑offs (model accuracy vs. privacy).	Controls Log (Markdown)
4️⃣ Draft the PIA summary	Compliance Champion (often the product manager)	Write a 1‑page narrative: purpose, data categories, legal basis, risk rating, mitigations, and residual risk. Keep the language plain enough for a non‑technical reviewer.	PIA Summary (PDF)
5️⃣ Internal review	All team members	Conduct a 30‑minute "privacy stand‑up" where each member signs off on the summary. Use a shared checklist to verify that: • legal basis is documented • data minimisation is applied • retention schedule is set.	Sign‑off Sheet (Google Form)
6️⃣ External audit (if required)	CTO or external consultant	Provide the PIA Summary and supporting artefacts to the auditor. Answer any follow‑up questions within 48 hours to keep the sprint on track.	Audit Response Log
7️⃣ Publish & monitor	Product Owner	Store the final PIA in the team's knowledge base (e.g., Confluence) and link it to the feature ticket. Set a reminder for the next review (see Metrics section).	Knowledge‑Base Entry

Mini‑script for the privacy stand‑up

"Team, let's walk through the risk register. For each 'high' rating, confirm we have a control logged in the Controls Log, and that the control is deployed in code (pull request #1234). If any control is still pending, we flag it as a blocker for release."

This script keeps the discussion focused, ensures accountability, and produces a written record (the meeting notes) that can be attached to the PIA artefacts.

Key take‑aways for small teams

Time‑box the assessment – two weeks is enough to surface major issues without derailing development.
Leverage existing tickets – embed privacy tasks as sub‑tasks in the feature's Jira story; the PIA becomes part of the definition of done.
Use a single source of truth – a shared Google Sheet or Confluence page prevents version drift and makes the audit trail obvious.

By following this checklist, a five‑person AI squad can meet GDPR compliance, demonstrate privacy‑by‑design, and keep the development velocity high.

Metrics and Review Cadence

Operationalising privacy impact assessments requires more than a one‑off checklist; it demands ongoing measurement so that the team can prove continuous compliance and improve risk management over time. Below are the core metrics that a small team should track, how to collect them, and the cadence for review.

Core Metrics

Metric	Definition	Data Source	Target
PIA Completion Rate	Percentage of new features that have an approved PIA before release.	Release pipeline tags (e.g., `PIA‑Approved`)	≥ 95 %
Risk Reduction Ratio	(Number of high‑risk items before mitigation – number after mitigation) ÷ number before mitigation.	Risk Register before/after controls	≥ 80 %
Control Deployment Lag	Days between control identification and code merge.	Git commit timestamps linked to control IDs	≤ 7 days
Residual Risk Score	Weighted sum of remaining risk ratings after mitigations (scale 1‑5).	Updated Risk Register	≤ 2 (average)
Audit Finding Closure Time	Days to resolve audit‑identified gaps.	Audit tracker	≤ 14 days

Automated Collection

CI/CD Integration – Add a step in the pipeline that checks for the PIA‑Approved label on the pull request. If missing, the build fails and logs the metric as "0".
Git Hooks – When a control ID is referenced in a commit message (Ctrl‑123), a webhook updates the "Control Deployment Lag" field in a central spreadsheet.
Dashboard – Use a lightweight BI tool (e.g., Google Data Studio) to pull data from the spreadsheet and Git logs, visualising the metrics on a single "Privacy Health" dashboard.

Review Cadence

Cadence	Participants	Agenda
Weekly Sprint Review	Product Owner, Lead Engineer, Compliance Champion	Verify that all stories in the sprint have PIA approval; surface any "Control Deployment Lag" alerts.
Monthly Metrics Sync	Entire team + optional legal advisor	Review dashboard trends, discuss any spikes in residual risk, and adjust the risk matrix if new threat vectors emerge.
Quarterly Governance Meeting	CTO, Data Protection Officer (if available), Team Leads	Deep dive into audit findings, evaluate the effectiveness of mitigations, and decide on policy updates (e.g., tightening retention periods).
Annual GDPR Audit Prep	Compliance Champion + external auditor	Compile all PIA summaries, risk registers, and metric logs into a single audit package; perform a mock audit to identify gaps.

Ritual tip: During the monthly sync, allocate a 5‑minute "quick win" slot where a team member shares a concrete improvement (e.g., switching from plain‑text logs to encrypted storage) and updates the Controls Log in real time. This habit reinforces a culture of continuous privacy improvement.

Tooling and Templates

To keep the process repeatable, small teams benefit from a small toolbox of free or low‑cost resources that can be customised once and reused across projects. Below is a curated list of the most practical assets, along with brief implementation notes.

Templates

Template	Description	How to Deploy
Scope Sheet (One‑Pager)	Simple table listing data sources, purposes, legal bases, and retention.	Duplicate the Google Sheet, rename per project, and share with the team.
Risk Register (Matrix)	Pre‑filled with GDPR risk categories and scoring rubric (Likelihood × Impact).	Import the CSV into your preferred spreadsheet; add a column for "Mitigation ID".
Controls Log (Markdown)	Markdown table tracking control ID, description, implementation status, and code reference.	Store in the repo's `/privacy/` folder; link each row to a GitHub issue.
PIA Summary Template	One‑page narrative with headings: Purpose, Data Flow, Legal Basis, Risks, Controls, Residual Risk.	Use the provided .docx file; fill in placeholders and export to PDF for audit.
Sign‑off Form (Google Form)	Simple form where each reviewer checks a box for "Scope verified", "Risks addressed", "Controls deployed".	Create a new form, copy the question list, and set up email notifications for completions.

Tools

Tool	Free Tier / Cost	Primary Use
GitHub Actions	Free for public repos, $0.2 per 1,000 minutes for private	Enforce PIA label check, auto‑populate Control Deployment Lag via commit messages.
Google Data Studio	Free	Build the "Privacy Health" dashboard from spreadsheets and Git logs.
Jira/Linear	Free for small teams (up to 10 users)	Attach PIA artefacts to feature tickets; use custom fields for "PIA Status".
Open‑Source DPIA Checklist (IAPP)	Free	Baseline checklist that can be imported into the Risk Register.
Differential Privacy Library (Google DP, PySyft)	Free	Implement privacy‑preserving model training; link the library version in the Controls Log.

Quick‑Start Playbook

Clone the repository – git clone https://github.com/yourorg/privacy‑toolkit.git.
Copy the template folder – `cp -R privacy‑toolkit/templates my‑project

None

Key Takeaways

Small teams need lightweight, actionable governance — not enterprise-grade bureaucracy
A one-page policy baseline is enough to start; iterate from there
Assign one policy owner and hold a weekly 15-minute review
Data handling and prompt content are the top risk areas
Human-in-the-loop is required for high-stakes decisions

Summary

If you only do three things this week: publish an "allowed vs not allowed" policy, name an owner, and set a short review cadence to keep usage visible and intentional.

Governance Goals

For a lean team, governance goals should translate directly into day-to-day behaviors: what people can do, what they must not do, and what they need approval for.

Reduce avoidable risk while preserving team velocity
Make "approved vs not approved" usage explicit
Provide lightweight review ownership and cadence
Keep a paper trail (decisions, incidents, exceptions) without slowing delivery

Risks to Watch

Most small teams underestimate "silent" risks: sensitive data in prompts, untracked tools, and decisions made from model output that never get reviewed.

Data leakage via prompts or outputs
Over-trusting model output in production decisions
Untracked shadow AI usage
Vendor/tooling sprawl without a risk owner or inventory

Controls (What to Actually Do)

Start with controls that are cheap to run and easy to explain. Each control should have a clear owner and a lightweight cadence.

Create an AI usage policy with allowed use-cases (and a short "not allowed" list)
Define what data is allowed in prompts (and what requires redaction or approval)
Run a weekly risk review for high-impact prompts and workflows
Require human sign-off for any customer-facing or high-stakes outputs
Define escalation + incident response steps (who to notify, what to log, how to pause use)

Checklist (Copy/Paste)

Identify high-risk AI use-cases
Define what data is allowed in prompts
Require human-in-the-loop for critical decisions
Assign one policy owner
Review results and update controls
Keep a simple inventory of AI tools/vendors and owners
Add a "safe prompt" template and a redaction workflow
Log incidents and near-misses (even if informal) and review monthly

Implementation Steps

Draft the policy baseline (1–2 pages)
Map incidents and near-misses to checklist updates
Publish the updated policy internally
Create a lightweight review cadence (weekly 15 minutes; quarterly deeper review)
Add a short approval path for exceptions (who can approve, how it's documented)

Frequently Asked Questions

Q: What is AI governance? A: It is a framework for managing AI use, risk, and compliance within a small team context.

Q: Why does AI governance matter for small teams? A: Small teams face the same AI risks as enterprises but with fewer resources, making lightweight governance frameworks critical.

Q: How do I get started with AI governance? A: Start with a one-page policy baseline, identify your highest-risk AI use-cases, and assign a policy owner.

Q: What are the biggest risks in AI governance? A: Data leakage via prompts, over-reliance on model output, and untracked shadow AI usage.

Q: How often should AI governance controls be reviewed? A: A weekly lightweight review is recommended for high-impact use-cases, with a full policy review quarterly.

References

IAPP. "Top 10 Operational Responses to the GDPR – Part 4: Data Protection Impact Assessments and Data Protection by Default and by Design." https://iapp.org/news/a/top-10-operational-responses-to-the-gdpr-part-4-data-protection-impact-assessments-and-data-protection-by-default-and-by-design
NIST. "Artificial Intelligence." https://www.nist.gov/artificial-intelligence
OECD. "AI Principles." https://oecd.ai/en/ai-principles
ISO. "ISO/IEC 42001:2023 – Artificial Intelligence Management System." https://www.iso.org/standard/81230.html
ICO. "Artificial Intelligence – Guidance for organisations." https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/
ENISA. "Artificial Intelligence – Cybersecurity." https://www.enisa.europa.eu/topics/cybersecurity/artificial-intelligence## Practical Examples (Small Team)

1. New Feature: Automated Customer Sentiment Scoring

Phase	Action	Owner	Artefact
Ideation	Draft a one‑page "privacy hypothesis" that states what personal data will be collected, why it is needed, and the expected benefit.	Product Manager	Privacy hypothesis doc (Google Doc)
Design	Conduct a privacy impact assessment using the "5‑question PIA template" (see Tooling section).	Data Engineer + Privacy Lead	Completed PIA checklist
Development	Implement data‑minimisation: store only sentiment scores, discard raw text after processing.	Backend Engineer	Code comment `# PI: discard raw text after 24h`
Testing	Run a "privacy test suite" that verifies raw text is not persisted beyond the retention window.	QA Engineer	Test report (JUnit XML)
Launch	Publish a short "privacy notice" in the UI and update the internal data‑registry.	UX Designer	UI copy and data‑registry entry
Post‑Launch	Schedule a 30‑day review to confirm the PIA assumptions still hold.	Privacy Lead	Review log entry

Checklist for the PIA (5‑question template)

What data? Identify each data element (e.g., raw text, sentiment score, user ID).
Why needed? Map to a legitimate business purpose (e.g., improve support routing).
Legal basis? Record the GDPR article (e.g., Art. 6(1)(f) – legitimate interests).
Risk level? Rate high/medium/low for re‑identification, profiling, or discrimination.
Mitigations? List concrete controls (encryption, pseudonymisation, retention limits).

One‑page script for Jira (copy‑paste)

Task: Privacy Impact Assessment – Sentiment Scoring Feature
Assignee: @privacy-lead
Due: +5d
Description:
- Fill out the 5‑question PIA template (link)
- Attach the completed checklist to this ticket
- Tag @product‑manager and @backend‑engineer for review

2. Retrospective PIA for an Existing Data‑Pipeline

Many small teams inherit pipelines that were built before GDPR awareness. The following "quick‑audit" routine can be run in a single sprint:

Inventory – Export the pipeline's schema from the data‑catalog and list all personal identifiers.
Gap analysis – Compare the list against the organization's data‑registry; flag any missing entries.
Risk scoring – Use the "risk matrix" (see Tooling) to assign a score (1‑5) for each identifier.
Remediation plan – For scores ≥ 3, create a ticket to add pseudonymisation or delete the field.
Sign‑off – The Privacy Lead signs the "retro‑PIA" document; the Engineering Lead signs the remediation plan.

Owner matrix

Role	Responsibility
Data Engineer	Export schema, add pseudonymisation code
Privacy Lead	Conduct gap analysis, assign risk scores
Engineering Lead	Approve remediation plan, allocate sprint capacity
Compliance Officer	Verify that the retro‑PIA meets audit requirements

3. Cross‑Team AI Model Release with "Privacy by Design"

When an AI model is trained on user data, the following steps embed privacy from day one:

Data‑source approval – Only approved data‑sets (catalogued, consent‑tracked) may be used.
PIA kickoff meeting – 30‑minute stand‑up with the model owner, data scientist, and privacy lead.
Design‑time controls –
- Use differential privacy libraries (e.g., Opacus, TensorFlow Privacy).
- Enforce "feature‑level access control" in the training pipeline.
Documentation – Record the privacy controls in the model card (section "Privacy Impact").
Release gate – The privacy lead must sign off the model card before the model is promoted to production.

One‑page checklist for model releases

Data source listed in the data‑registry with consent evidence
PIA completed and attached to the model repository
Differential privacy budget documented (ε value)
Access control list (ACL) reviewed and approved
Model card updated with "Privacy Impact" section

By following these concrete, repeatable patterns, a small team can keep GDPR compliance tight while still moving fast on AI initiatives.

Metrics and Review Cadence

1. Core Privacy Metrics

Metric	Definition	Target	Data Source	Frequency
PIA Completion Rate	% of new features that have an attached privacy impact assessment before code freeze.	≥ 95 %	Jira/Asana tickets (label "PIA")	Sprint end
Risk‑Score Distribution	Histogram of risk scores (1‑5) across all active data‑flows.	≤ 10 % of flows scoring 4‑5	Data‑registry + risk matrix	Monthly
Data‑Retention Violations	Number of records found persisting beyond defined retention windows.	0	Automated audit script (SQL)	Weekly
Privacy Incident Response Time	Median time from detection to containment of a privacy‑related incident.	≤ 48 h	Incident‑management system	Quarterly
Training‑Data Consent Coverage	% of training data rows with documented, valid consent.	≥ 99 %	Consent‑ledger	Quarterly

2. Review Cadence Blueprint

Cadence	Meeting	Participants	Agenda Items	Output
Weekly (Operational)	Privacy Ops Stand‑up (15 min)	Privacy Lead, Data Engineer, Scrum Master	- Review new

Practical Examples (Small Team)

Step	Owner	Action	Artefact
1️⃣ Define scope	Product Owner	List the data flows that the new feature will touch (ingestion, storage, model training, inference). Include third‑party APIs and any cross‑border transfers.	"Scope Sheet" (one‑page table)
2️⃣ Identify privacy risks	Data Engineer	Map each flow to the GDPR risk categories (unauthorised access, excessive retention, profiling, etc.). Use the IAPP risk matrix as a quick reference.	Risk Register (Excel/Google Sheet)
3️⃣ Apply privacy‑by‑design controls	Lead Engineer	For each high‑risk item, select a mitigation (e.g., pseudonymisation, differential privacy, access‑role restriction). Record the control, its implementation status, and any trade‑offs (model accuracy vs. privacy).	Controls Log (Markdown)
4️⃣ Draft the PIA summary	Compliance Champion (often the product manager)	Write a 1‑page narrative: purpose, data categories, legal basis, risk rating, mitigations, and residual risk. Keep the language plain enough for a non‑technical reviewer.	PIA Summary (PDF)
5️⃣ Internal review	All team members	Conduct a 30‑minute "privacy stand‑up" where each member signs off on the summary. Use a shared checklist to verify that: • legal basis is documented • data minimisation is applied • retention schedule is set.	Sign‑off Sheet (Google Form)
6️⃣ External audit (if required)	CTO or external consultant	Provide the PIA Summary and supporting artefacts to the auditor. Answer any follow‑up questions within 48 hours to keep the sprint on track.	Audit Response Log
7️⃣ Publish & monitor	Product Owner	Store the final PIA in the team's knowledge base (e.g., Confluence) and link it to the feature ticket. Set a reminder for the next review (see Metrics section).	Knowledge‑Base Entry

Mini‑script for the privacy stand‑up

"Team, let's walk through the risk register. For each 'high' rating, confirm we have a control logged in the Controls Log, and that the control is deployed in code (pull request #1234). If any control is still pending, we flag it as a blocker for release."

This script keeps the discussion focused, ensures accountability, and produces a written record (the meeting notes) that can be attached to the PIA artefacts.

Key take‑aways for small teams

Time‑box the assessment – two weeks is enough to surface major issues without derailing development.
Leverage existing tickets – embed privacy tasks as sub‑tasks in the feature's Jira story; the PIA becomes part of the definition of done.
Use a single source of truth – a shared Google Sheet or Confluence page prevents version drift and makes the audit trail obvious.

By following this checklist, a five‑person AI squad can meet GDPR compliance, demonstrate privacy‑by‑design, and keep the development velocity high.

Metrics and Review Cadence

Core Metrics

Metric	Definition	Data Source	Target
PIA Completion Rate	Percentage of new features that have an approved PIA before release.	Release pipeline tags (e.g., `PIA‑Approved`)	≥ 95 %
Risk Reduction Ratio	(Number of high‑risk items before mitigation – number after mitigation) ÷ number before mitigation.	Risk Register before/after controls	≥ 80 %
Control Deployment Lag	Days between control identification and code merge.	Git commit timestamps linked to control IDs	≤ 7 days
Residual Risk Score	Weighted sum of remaining risk ratings after mitigations (scale 1‑5).	Updated Risk Register	≤ 2 (average)
Audit Finding Closure Time	Days to resolve audit‑identified gaps.	Audit tracker	≤ 14 days

Automated Collection

CI/CD Integration – Add a step in the pipeline that checks for the PIA‑Approved label on the pull request. If missing, the build fails and logs the metric as "0".
Git Hooks – When a control ID is referenced in a commit message (Ctrl‑123), a webhook updates the "Control Deployment Lag" field in a central spreadsheet.
Dashboard – Use a lightweight BI tool (e.g., Google Data Studio) to pull data from the spreadsheet and Git logs, visualising the metrics on a single "Privacy Health" dashboard.

Review Cadence

Cadence	Participants	Agenda
Weekly Sprint Review	Product Owner, Lead Engineer, Compliance Champion	Verify that all stories in the sprint have PIA approval; surface any "Control Deployment Lag" alerts.
Monthly Metrics Sync	Entire team + optional legal advisor	Review dashboard trends, discuss any spikes in residual risk, and adjust the risk matrix if new threat vectors emerge.
Quarterly Governance Meeting	CTO, Data Protection Officer (if available), Team Leads	Deep dive into audit findings, evaluate the effectiveness of mitigations, and decide on policy updates (e.g., tightening retention periods).
Annual GDPR Audit Prep	Compliance Champion + external auditor	Compile all PIA summaries, risk registers, and metric logs into a single audit package; perform a mock audit to identify gaps.

Tooling and Templates

Templates

Template	Description	How to Deploy
Scope Sheet (One‑Pager)	Simple table listing data sources, purposes, legal bases, and retention.	Duplicate the Google Sheet, rename per project, and share with the team.
Risk Register (Matrix)	Pre‑filled with GDPR risk categories and scoring rubric (Likelihood × Impact).	Import the CSV into your preferred spreadsheet; add a column for "Mitigation ID".
Controls Log (Markdown)	Markdown table tracking control ID, description, implementation status, and code reference.	Store in the repo's `/privacy/` folder; link each row to a GitHub issue.
PIA Summary Template	One‑page narrative with headings: Purpose, Data Flow, Legal Basis, Risks, Controls, Residual Risk.	Use the provided .docx file; fill in placeholders and export to PDF for audit.
Sign‑off Form (Google Form)	Simple form where each reviewer checks a box for "Scope verified", "Risks addressed", "Controls deployed".	Create a new form, copy the question list, and set up email notifications for completions.

Tools

Tool	Free Tier / Cost	Primary Use
GitHub Actions	Free for public repos, $0.2 per 1,000 minutes for private	Enforce PIA label check, auto‑populate Control Deployment Lag via commit messages.
Google Data Studio	Free	Build the "Privacy Health" dashboard from spreadsheets and Git logs.
Jira/Linear	Free for small teams (up to 10 users)	Attach PIA artefacts to feature tickets; use custom fields for "PIA Status".
Open‑Source DPIA Checklist (IAPP)	Free	Baseline checklist that can be imported into the Risk Register.
Differential Privacy Library (Google DP, PySyft)	Free	Implement privacy‑preserving model training; link the library version in the Controls Log.

Quick‑Start Playbook

Clone the repository – git clone https://github.com/yourorg/privacy‑toolkit.git.
Copy the template folder – `cp -R privacy‑toolkit/templates my‑project

None

Get the next template in your inbox

Get the next template in your inbox