5 Formulas to Build Data Privacy: STEP 2
Step 2 on how to build a data privacy practical roadmap: use 5 simple formulas to turn your answers into clear compliance sentences. Build your foundation in 30 minutes.
If you haven’t completed Step 1 yet, pause and go back. Step 2 builds directly on your answers to the 5 questions. Check out Step 1 here.
Reading time: 7 minutes | Completion time for Step 2: 20–30 minutes
"This is just the start. My YouTube channel has more of this. Come join me there."
Before You Start – Did You Complete Step 1?
Step 2 is designed to build directly on the answers you wrote down in Step 1 – those five honest facts about your customer data, expectations, legal reasons, data flow, and third-party sharing. Without those answers, the formulas in this guide will feel like empty templates.
So, if you have your Step 1 notes in front of you, great. Keep them handy.
If you do not, you have two options:
-
Option A: Complete Step 1 now. The link is below.
-
Option B: Read through Step 2 to see where the road leads, then go back and do the work.
Either path is fine. But do not expect to fill out the formulas below without your Step 1 answers. They are the ingredients. This page is the recipe.
Link to Step 1: (check now)
I am sure that you did the hard part in Step 1. You wrote down the answers to all 5 essential questions we discussed earlier.
But notes alone won't protect you.
Step 2 is where those notes turn into something you can actually use. Five simple formulas to turn your answers from Step 1 into a structure that makes sense.
Let's go.
2.1
What Data You Collect & Where Your Customers Live?
Fill in the blanks with your Step 1 (Q1.) answers:
Formula #1:
"We collect [types of data] from customers located in [customer location]."
Example:
"We collect names, email addresses, and billing information from customers located in the European Union and California."
Why this matters:
1. Reveals which laws apply to you: Customers in the EU/UK? GDPR/UK DPA 2018 applies. Customers in California? CCPA applies. Customers in Singapore? PDPA applies. Consumers in India? DPDPA applies. Customers in the Middle East? PDPL applies.
2. Stops you from collecting unnecessary data: If you cannot honestly fill in "what data you collect" without a long list, you might be collecting too much.
3. Creates transparency: This sentence can go directly into your privacy policy – customers appreciate honesty.
How To Answer This?
In Step 1, Question 1, you wrote down two things:
- Answer 1.1: Where your customers live (country or region).
- Answer 1.2: What personal data you actually collect from them.
Now you are simply putting those two answers into one clear sentence.
Formula #1:
"We collect [types of data] from customers located in [customer location]."
2.1
What Data You Collect & Where Your Customers Live?
Fill in the blanks with your Step 1 answers:
2.2
What Your Customers Actually Expect?
Fill in the blanks with your Step 1 (Q2.) answers:
Formula #2:
"Our customers expect us to use their information to [main service / purpose]."
Example:
"Our customers expect us to use their information to deliver our monthly software subscription and provide customer support."
Why This Sentence Matters
This sentence is your trust meter. It does three things:
1. Keeps you honest: If you ever use customer data in a way that would surprise them, you have broken trust – and likely broken the law.
2. Prevents "scope creep": Many businesses start collecting data for one purpose, then quietly use it for another. This sentence stops that.
3. Builds customer confidence: When customers see you understand what they expect, they trust you more
How To Answer This?
In Step 1, Question 2, you asked yourself:
- "What do my customers think I am going to do with their information?"
You wrote down the honest answer – what they actually signed up for. Not what you wish they expected. Not what your terms of service say. But what a reasonable customer would believe.
Now you are turning that honest answer into a sentence.
Formula #2:
"Our customers expect us to use their information to [main service / purpose]."
2.2
What Your Customers Actually Expect?
Fill in the blanks with your Step 1 (Q2) answers:
The Honesty Test after Step 2.2
Ask yourself these three questions after writing your sentence:
Question(s):
Q1: Does my sentence describe only what my customers explicitly signed up for?
Q2: Would my customers agree with this sentence if I showed it to them?
Q3: Do I currently use their data for anything NOT in this sentence?
If your answer is "No"…
1. You are over-promising or over-collecting.
2. You have a gap between expectation and reality.
3. You are likely breaking privacy laws.
If you answered "No" to any of the above, you have work to do. See Section 6 for help.
2.3
Your Legal Reason for Collecting Data (Lawful Basis).
Fill in the blanks with your Step 1 (Q3.) answers:
Formula #3: (pick the option that matches your Step 1 answer):
☐ "Our users have freely given their personal information to us to fulfil [purpose from Formula 2]." (Consent)
☐ "We need our users' information as part of a contract or under a contractual obligation." (Contract)
☐ "The law requires us to collect or keep our users' data." (Legal obligation)
☐ "We have collected the personal information in our company's or business interest." (Legitimate interests – requires balancing test)
☐ "We are not sure." (see Section 6 below)
In Step 1, Question 3, you asked yourself: "What is my legal reason for collecting personal information?"
Now you are turning that answer into a clear, defensible statement. This is your answer when someone asks, "Why do you have my data?"
Formula #3: (pick the option that matches your Step 1 answer):
☐ "Our users have freely given their personal information to us to fulfil [purpose from Formula 2]." (Consent)
☐ "We need our users' information as part of a contract or under a contractual obligation." (Contract)
☐ "The law requires us to collect or keep our users' data." (Legal obligation)
☐ "We have collected the personal information in our company's or business interest." (Legitimate interests – requires balancing test)
☐ "We are not sure." (see Section 6 below)
2.3
Your Legal Reason for Collecting Data (Lawful Basis)
How To Answer This?
Fill in the blanks with your Step 1 (Q3.) answers:
In Step 1, Question 3, you asked yourself: "What is my legal reason for collecting personal information?"
Now you are turning that answer into a clear, defensible statement. This is your answer when someone asks, "Why do you have my data?"
2.4.
Where Data Lives, Who Sees It, How Long You Keep It?
Fill in the blanks with your Step 1 (Q4.) answers:
Formula #4:
"We store our users' personal data in [location]. [Roles] have access to it. We keep it for [time period]. If a customer asks, we can [access / delete / update] their information."
Example:
"We store our users' personal data in AWS servers located in Ireland. Only our customer support manager and IT administrator have access to it. We keep it for 24 months after the last login. If a customer asks, we can access, update, and delete their information within 30 days."
The Five Parts of This Formula
1. Location - Where is the data stored? (cloud provider, country, laptop) – "AWS servers in Ireland"
2. Roles - Which people or teams can see it? - "Customer support manager and IT admin"
3. Time period - How long do you keep it before deleting? - "24 months after last login"
4. Access - Can you find their data if they ask? - "Yes, within 30 days."
5. Delete/Update - Can you change or remove it? - "Yes, we can delete and update."
Formula #4:
"We store our users' personal data in [location]. [Roles] have access to it. We keep it for [time period]. If a customer asks, we can [access / delete / update] their information."
2.4
Where Data Lives, Who Sees It, How Long You Keep It?
How To Answer This?
In Step 1, Question 4, you thought through the entire journey of customer data, from collection to deletion.
Fill in the blanks with your Step 1 (Q4.) answers:
2.5
Who You Share Data With and Why?
Fill in the blanks with your Step 1 (Q5.) answers:
Formula #5:
We share data with [recipients] for [purpose]."
If you do not share data with anyone:
"We do not share this information with any third parties."
Example (sharing):
"We share data with Stripe (payment processing), Mailchimp (email marketing), and Google Analytics (website analytics)."
Why This Sentence Matters:
- Draws your boundary: You now know exactly where your data goes after it leaves your hands.
- Shows responsibility: You are accountable for what third parties do with your data.
- Prepares for vendor agreements: You need a Data Processing Agreement (DPA) with each third party.
Examples by Business Type
1. Online store - Stripe (payments), ShipStation (shipping), QuickBooks (accounting).
2. SaaS company - AWS (hosting), SendGrid (emails), Intercom (support).
3. Consultant - Calendly (scheduling), Zoom (meetings), and DocuSign (contracts).
4. Mobile app - Firebase (backend), RevenueCat (subscriptions), Mixpanel (analytics).
How To Answer This?
In Step 1, Question 5, you listed every third party that touches customer data – payment processors, email tools, hosting providers, accountants – everyone.
Now you are turning that list into one clear sentence.
Formula #5:
We share data with [recipients] for [purpose]."
If you do not share data with anyone:
"We do not share this information with any third parties."
2.5:
Who You Share Data With and Why?
Fill in the blanks with your Step 1 (Q5.) answers:
#3.
What You Have Built – Your Complete, Honest Snapshot
You started with scattered notes. Maybe a few bullet points. Maybe some answers scribbled on paper.
Now look at what you have.
The 5 Sentences You Have Written: After applying all five formulas, you now have:
Formula 1:
What data you collect and where your customers live.
Formula 2:
What your customers actually expect you to do with their data.
Formula 3:
Your legal reason for collecting it.
Formula 4:
Where the data lives, who sees it, and how long you keep it.
Formula 5:
Who you share it with and why.
Most business owners never get this far. They jump straight to downloading privacy policy templates or hiring lawyers before understanding their own data.
You did the opposite. You built from the ground up. Here is what you now have that most businesses do not:
What You Have:
- A clear list of what data you actually collect (not what you think you collect)
- An honest statement of customer expectations.
- A documented legal reason for every type of data.
- A map of where data lives and who touches it.
- A complete list of third parties who get customer data.
Why Most Businesses Do Not Have It
- They guess or copy-paste from templates
- They assume or ignore
- They hope no one asks
- They never thought about it
- They forget or hide it
Why This Is a Big Deal
A Quick Reality Check
Read your five sentences out loud.
1. Do they feel honest?
2. Do they match what actually happens in your business?
If yes, great. You are ahead of 90% of small businesses.
If not – that is fine too. You have identified gaps. That is valuable. You cannot fix what you do not see.
#4.
What to Do After Completing Step 2.
You have done the hard work. You turned your scattered notes into five clear, honest sentences about your data practices.
But five sentences are not a strategy. They are a snapshot.
Now it is time to turn that snapshot into a guiding light for your entire business. CHECK OUT STEP# 3.
#5.
Frequently Asked Questions (FAQ) – Step 2
Q1. Do I need to share my five sentences with anyone?
Not unless you want to.
These five sentences are first for you – to understand your own business. You do not need to publish them or share them with customers.
However, Formulas 1, 2, and 5 are excellent sources for your public privacy policy. Most privacy policies are generic templates. Yours can be honest and specific because you have done the work.
When you might share them:
-
With your team, so everyone handles data the same way
-
With a lawyer, so they can review your legal basis
-
With an auditor, to prove you have done your homework
When you should NOT share them:
-
Publicly on your website (unless you have anonymised or reviewed them)
-
With vendors before signing a Data Processing Agreement
Q2. What if my answers from Step 1 raised more questions than answers?
That is completely normal – and honestly, a good sign.
It means you stopped guessing. You started noticing gaps. You cannot fix what you do not see.
Common gaps data owners & innovators find:
Gap #1
"I don't know my legal basis."
What It Means
You have been collecting data without a clear defence – many businesses do this
"
Gap #2
I don't know where my data lives."
What It Means
Your storage is scattered across laptops, cloud, and old hard drives
Gap #3
"I don't know who I share data with."
What It Means
You use many tools and lost track
What to do next:
See Section 6 (the one below this FAQ section) for one-on-one support.
Q3. Can I use these 5 formulas for multiple different activities?
Yes. And you should, if your business does very different things.
For example: A fitness app that also sells merchandise.
Your Activities:
- Fitness tracking (health data).
- Selling merchandise (name, address, payment).
Q) Do you need a separate set of formulas?
✅ Yes – different data, different legal basis.
✅ Yes – different purpose, different third parties.
How to know if you need separate sets:
Ask yourself: "Would a customer be surprised if I used their data from Activity A for Activity B?"
If yes, write separate formulas for each activity.
Most small businesses only need one set. Do not overcomplicate it.
Q4. Is Step 2 necessary if I already have a privacy policy?
Most privacy policies are generic templates. Someone downloaded it, changed the business name, and published it.
Here is a quick test:
Question:
- Does your privacy policy list exactly what data you collect (not a generic list)?
If you answer "No"…
Your policy is likely inaccurate
Question:
Does it state your specific legal basis for each type of data?
If you answer "No"…
It is probably vague.
Question:
Does it name every third party you share data with?
If you answer "No"…
It probably hides behind "third-party service providers".
Step 2 gives you the raw material to fix your privacy policy. Compare your existing policy to your five sentences. You will likely find gaps. Fill them.
If your policy already matches your five sentences – great. You are ahead of most of your competitors.
Q5. What if I wrote "unknown" or "to be determined" for some answers?
That is honest. And honesty is the first step to fixing problems.
Here is what to do with each "unknown" vs. "What to do next".
1. Customer location – Check your payment processor or CRM. Most show customer countries.
2. Types of data collected - Look at your signup form, checkout page, or contact form. Whatever you ask for is data.
3. Legal basis - See Q4 in the FAQ section. Or get professional help.
4. Where data is stored - Ask your IT person or check your cloud provider (AWS, Google Cloud, Microsoft Azure, etc.).
5. Who has access? - List every employee role that can see customer data. Start with yourself.
6. Retention period – Ask: "Do I have a policy for deleting old data?" If no, start with 12–24 months.
7. Third-party sharing - Check your bank account or credit card statement. Every recurring payment to a tool (Mailchimp, Stripe, Zoom, etc.) is a third party.
If you still cannot answer after investigating, that is exactly when you need professional help. SEE SECTION 6 BELOW for one-on-one support.
#6.
Need Professional One-on-One Help?
If you get stuck during Step 2, or if any of this sounds familiar – for example,
-
"I'm not sure how to fix my answers."
-
"I have no idea how to select the legal basis for my activities."
-
"I don't know if I'm collecting too much data."
-
"I'm not sure if I'm storing data safely or for too long."
-
"I don't even know who I'm sharing data with anymore."
-
"I wrote 'unknown' in too many places and cannot figure it out."
Do not worry. This is exactly where I can help.
You can reach out to me directly.
Ankit Bhargava
CIPP/E Certified Data Privacy Professional
Freelance EU-registered Data Protection Officer (DPO)
I genuinely help your business get data privacy right from the beginning to start practical compliance.