How to Start Data Privacy: Step 1
Answer 5 Questions for your Data Privacy Step 1: Identify, map, and document your users' complete data flow.
By the end of this step, you will know exactly where your business stands with personal data – without guessing, without legal templates, and without opening ten search tabs on your device.
Reading time: 6 minutes | Completion time: 30–60 minutes
"This is just the start. My YouTube channel has more of this. Come join me there."
The #1 Mistake That Ruins Data Privacy Compliance.
Here is the mistake I see startups and growing businesses make every single week.
The moment they realise they need data privacy compliance, they open Google and start searching for the following:
-
"What rules apply to us?"
-
"What paperwork do we need?"
Then they download GDPR checklists, privacy policy templates, and data processing agreements – before they have even mapped their own data.
That is like trying to run a race before you know where the track goes.
So here is my hard rule for Step 1:
Do not open Google again.
Do not search for more resources.
Do not download a single compliance checklist or policy template.
Not until you have answered all five questions above.
Not four. Not three. All five.
Your only job in Step 1 is to document your current reality – no matter how messy or incomplete it looks. This is your first source of truth.
#2
How to Perform Data Privacy Step 1: The 5 Essential Questions.
2.1 The Framework Explained
Before you answer, understand this: each question here builds on the previous one. So, do not skip any of them and do not guess. Write down real answers based on your current operations – not what you wish was true.
You can also download my free DIY template (link in section 4 below). Answer every question honestly – based on what you actually do today, not what you think you should do.
2.2
Question #1 - Customer Location and Data Collected.
"Where are your customers located, and what personal information do you actually collect from them?"
Do not list what you could collect. List what you require.
Common examples:
-
Names and email addresses
-
Billing addresses and payment card details
-
Phone numbers
-
Health information or medical data
-
Cookies and browsing behaviour
-
Location data from mobile apps
-
Government ID numbers
Write down every single piece of personal information you collect from customers.
Then write down the country or region where those customers live (EU, California, UK, Asia Pacific, Middle East, etc.). This determines which privacy laws apply to you.
2.3
Question #2 - Your Customers' Expectations vs. Reality.
What Do Your Customers Think You Are Going to Do With Their Information?
This is the honesty check.
When someone signs up for your service, do they expect you to simply deliver what they paid for? Or do you also
-
Track their behaviour on your website?
-
Share their data with marketing platforms?
-
Run analytics through Google Analytics or similar tools?
-
Send them promotional emails they did not explicitly ask for?
Ask yourself: If a customer discovered you were using their information for something else, would they be surprised – or even angry?
Write down the gap between what customers expect and what you actually do.
2.4
Question #3 - Your Legal Reason (Lawful Basis).
What Is Your Legal Reason to Collect Personal Information From Customers?
Under GDPR, CCPA, and most privacy laws, you cannot collect personal data without a valid legal reason (called "lawful basis" in GDPR).
Common lawful bases include:
-
Consent – The customer actively agreed (e.g., ticking a box). Consent must be freely given, specific, informed, and unambiguous.
-
Contract – You need the data to provide the service or product the customer bought.
-
Legal obligation – A law requires you to keep the data (e.g., tax records for 7 years).
-
Legitimate interests – Your business has a genuine need, and that need does not override the customer's rights (e.g., fraud prevention). This requires a balancing test.
Do not guess. Write down the specific lawful basis for each type of data you collect.
2.5
Question #4- The Complete Data Lifecycle.
What Happens to Users' Information Once You Have It? (The Complete Data Lifecycle)
Think through the entire journey of personal data in your business:
-
Who sees it? List every role: customer support staff, your IT team, your marketing manager, external accountants, etc.
-
How long do you keep it? Days? Months? Years? Do you have a retention schedule?
-
Where do you store it? Local laptop hard drive? Cloud storage (which provider? which country)? Third-party servers?
-
What happens if a customer asks to access their data? Could you find it within 30 days (as GDPR requires)?
-
What happens if a customer asks you to delete everything? Could you do it completely, including from backups?
Write down each stage. If you do not know an answer, write "unknown" or "to be determined". That is still valuable information for Step 2.
2.6
Question #5- Third-Party Data Sharing.
Do You Share Personal Information With Anyone Else?
Almost every business shares data with third parties. Be honest.
Common examples:
-
Email marketing platforms (Mailchimp, Klaviyo, ActiveCampaign, etc.)
-
Payment processors (Stripe, PayPal, Square)
-
Cloud hosting providers (AWS, Google Cloud, Microsoft Azure)
-
Analytics tools (Google Analytics, Hotjar, Mixpanel)
-
Customer support software (Zendesk, Intercom, Freshdesk)
-
External accountants or legal advisors
For each third party, write down:
-
Their full name
-
What specific data you share with them
-
Why you share it (e.g., "to process credit card payments")
-
What country they are based in (important for cross-border data transfers)
If you do not share data with anyone, write that down as well. That is still an answer.
#3.
Free DIY Template for Step 1.
To make this easier, I have created a complimentary DIY template that walks you through all five questions with fill-in fields, examples, and prompts.
Download the Data Privacy Step 1 DIY template here:
OR
Check the demo step 1 template below:
The template includes:
-
A table for Question 1 (customer location and data types)
-
A comparison table for Question 2 (expectation vs. reality)
-
A lawful basis decision helper for Question 3
-
A data lifecycle flowchart prompt for Question 4
-
A third-party register for Question 5
Use it. Keep it safe. You will need it for Step 2.
#4.
What to Do After Completing Step 1.
Once you have answered all five questions in writing:
✅ Do not move on to policies, templates, or checklists yet.
✅ Do not share this document publicly – it is your internal data map.
✅ Save the document. You will use it to build your Record of Processing Activities (ROPA) – a legal requirement under GDPR Article 30.
Then you are ready for Step 2.
In Step 2, I will show you exactly how to turn your five answers into a working, practical compliance plan – including which privacy laws actually apply to you, which templates you genuinely need, and which ones you can ignore.
Go to Step 2: [Data Privacy Step 2: Build Your Practical Compliance Plan]
#5.
Frequently Asked Questions (FAQ) – Data Privacy Step 1.
Q1. How long does Step 1 take for a small business?
Most small businesses complete the five questions in 30 to 60 minutes. If you have complex data flows (e.g., health data or cross-border transfers), allow 2 to 3 hours.
*For a complete timeline from Step 1 to full compliance, follow my YouTube channel HERE.
Q2. Do I need a lawyer to complete Step 1?
No. Step 1 is about documenting what you actually do today – not giving legal advice. A lawyer becomes useful in Step 2 or Step 3. Do not pay a lawyer to fill out this worksheet.
Q3. What if I do not know an answer to one of the five questions?
Write "unknown" or "to be determined". That is still valuable information. It tells you where your gaps are. You can investigate and fill in the answer later.
Q4. Is this Data Privacy Step 1 & Free DIY Template only for GDPR?
No. The five questions & free template provided for step 1 work for GDPR (Europe), CCPA (California), PIPL (China), LGPD (Brazil), and most other privacy laws worldwide. The legal basis question is GDPR-specific, but other laws have similar requirements.
Q5. Can I skip Step 1 and go straight to a privacy policy template?
No. That is the mistake described in section 3. A privacy policy that does not reflect your actual data practices is worse than no policy – it can be considered a deceptive trade practice under laws like the FTC Act and GDPR Article 5(1)(a) (lawfulness, fairness, and transparency).
Q6. What if my business is very small – under 250 employees?
Under GDPR, businesses with fewer than 250 employees are exempt from maintaining a full ROPA unless the processing is not occasional or includes special categories of data or involves criminal convictions. Even if you are exempt, completing Step 1 is still a best practice and protects you in case of an audit.
#6.
Need Professional One-on-One Help?
If you get stuck during Step 1, or if you realise your situation is complex – for example,
-
You collect sensitive health or biometric data
-
You transfer data across borders (e.g., EU to US)
-
You use AI tools that process personal data
-
You have been asked by a customer or auditor to provide a data map
You can reach out to me directly.
Ankit Bhargava
CIPP/E Certified Data Privacy Professional
Freelance EU-registered Data Protection Officer (DPO)
I genuinely help your business get data privacy right from the beginning to start practical compliance.