Document Type: Engineering Checklist / Privacy-by-Design Review
Owner: Engineering Lead
Applies To: New data collection, new integrations, new analytics, new features involving customer data
Review Frequency: Annual
Version: 1.0
Purpose
This checklist ensures privacy-by-design principles are applied to any system change that introduces or modifies personal data, customer data, or data flows.
Scope
Required when any change:
adds collection of personal data (PII) or customer identifiers
changes how data is stored or processed
introduces new third-party integrations
changes logging, analytics, or monitoring outputs
changes retention or deletion behavior
changes access boundaries between customers (multi-tenant impact)
Checklist
A. Data Inventory and Purpose
| Item | Response |
|---|---|
| What data is being collected or processed? | |
| Is any personal data included? | Yes / No |
| Purpose of collection/processing | |
| Is the purpose essential to the feature? | Yes / No |
| Data owner / steward |
B. Data Minimization and Defaults
| Control | Check | Notes |
|---|---|---|
| Data minimization applied (collect/store only what is necessary) | Yes / No / N/A | |
| Optional data fields avoided or strictly justified | Yes / No / N/A | |
| Privacy is default (no extra collection unless explicitly required) | Yes / No / N/A | |
| Logs avoid sensitive payloads by default | Yes / No / N/A |
C. Security and Lifecycle Protection
| Control | Check | Notes |
|---|---|---|
| Encryption in transit validated (TLS 1.2+) | Yes / No / N/A | |
| Encryption at rest validated | Yes / No / N/A | |
| Access control applied (least privilege, scoped access) | Yes / No / N/A | |
| Retention period defined | Yes / No / N/A | |
| Deletion mechanism exists and is reliable | Yes / No / N/A |
D. Transparency and User Impact
| Control | Check | Notes |
|---|---|---|
| Data flows documented (internal or external) | Yes / No / N/A | |
| Third parties involved (if any) identified | Yes / No / N/A | |
| Cross-customer exposure prevented (tenant boundaries) | Yes / No / N/A | |
| Potential user privacy impact reviewed | Yes / No / N/A |
E. Third-Party / Integration Considerations (If Applicable)
| Control | Check | Notes |
|---|---|---|
| Vendor has appropriate security posture (SOC2/ISO or equivalent) | Yes / No / N/A | |
| Vendor receives minimum data required | Yes / No / N/A | |
| Data sharing documented and approved | Yes / No / N/A |
F. Approval
| Role | Name | Date | Result |
|---|---|---|---|
| Peer Reviewer | Approved / Changes requested | ||
| Engineering Lead (required for High impact) | Approved / Changes requested |
Outcome
If privacy risks are identified, the change must include:
mitigation steps before release, or
a documented exception with compensating controls approved by Engineering Lead.
Document Control
Version 1.0 — Owner: Engineering Lead — Next Review: 12 months