The privacy checklist: Top 10 tasks for compliance teams

Privacy compliance is no longer just about ticking boxes. It’s a dynamic, evolving discipline that demands strategic alignment, cross-functional collaboration, and constant vigilance. In this blog, we break down ten essential tasks that compliance teams should prioritise in the second half of the year to build a scalable, efficient, and future-ready privacy programme.

Privacy can seem to be a never-ending task, where there is no such thing as perfection, completion, or forever-guaranteed compliance by maintaining the status quo.  

On the positive side, the status of privacy as a moving target represents job security for compliance and privacy professionals.  

Also, there are tasks that compliance teams can take on in the second half of the year that will help prepare them for a prioritized, effective, efficient, scalable, and compliant program in the next year. 

Key takeaways:

• Align privacy with business goals: Collaborate with leadership, Sales, and Marketing to ensure privacy efforts support strategic data use.
• Stay ahead of regulation: Monitor emerging laws and enforcement trends, especially in areas like AI, biometrics, and industry-specific rules.
• Map the customer data journey: Regularly review how personal data is collected, used, and shared across all touchpoints.
• Evaluate your tech stack: Explore Privacy Enhancing Technologies (PETs) to streamline consent, rights management, and data governance.
• Strengthen third-party oversight: Audit contracts, data handling, and offboarding processes to ensure end-to-end accountability.

Jump to each section:

1. Articulate/align organizational data goals
2. Identify new regulatory trends
3. Review the customer (data) journey
4. Understand Privacy Enhancing Technologies
5. Audit/upgrade notice and consent
6. Review cookies
7. Identify privacy trends
8. Review privacy culture and awareness
9. Refine and document privacy processes
10. Review third-party privacy management

1. Align organizational data goals

Privacy compliance can be a critical business enabler, but only if the privacy and compliance teams understand business goals related to data and align their own priorities with these goals. The second half of the calendar year is a perfect time to have conversations with company executives and leaders about corporate strategy and how personal data (with privacy done right) can fuel initiatives.  

Though Marketing and Sales department goals ideally flow from corporate ones, these two functions may also have their own unique point of view about how to use personal data to accomplish their objectives. It’s valuable not only to align with strategic and operational leaders, but also to engage Sales and Marketing in conversations about how privacy practices can empower their data-driven goals.

There may be an additional opportunity to educate Marketing and Sales about the value of consumer trust, advantages of customer-centric privacy practices, and even technologies available in the marketplace that stand to return better metrics, conversion rates, and return on sales and marketing dollars.  

2. Identify regulatory trends

Though privacy drives consumer trust, relates to corporate ethics, and can add to the bottom line, privacy is also a compliance matter. This means that it is imperative to understand the regulatory environment, both in terms of new privacy laws taking effect in 2026 and in regulator attention and enforcement strategy to prioritize privacy activities for the following year.  

Not only are legislators busy passing new general privacy laws and regulators writing new guidance documents related to privacy, but there is quite a bit of activity with new privacy-adjacent laws.  

A thoughtful survey of privacy and privacy adjacent rules will need to include topics like biometrics, Artificial Intelligence (AI), and security/data breach, along with industry-specific requirements such as in healthcare, automotive, financial services, and other areas.  

Fortunately, there are excellent resources available to help sift through the volume of privacy regulations. Given that the United States has an especially volatile environment in privacy now, this privacy tracker can ease some of the legwork burden.  

3. Review the customer (data) journey

Websites change. Marketing add new customer touchpoints. Operational teams collect new data to fulfil sales more quickly and effectively. New third-party relationships pop up to help provide services and reduce core business distractions.

These changes in customer experience can impact customer satisfaction, the completeness of privacy notice disclosures, comprehensiveness of the individual rights process, consent management, and many other privacy-related requirements.

An end-to-end review of each customer touchpoint related to personal data – whenever the company communicates about, collects, uses, or shares it – will go a long way towards making sure of customer trust and ongoing compliance with related processes.

4. Understand Privacy Enhancing Technologies

All but the very smallest of companies need Privacy Enhancing Technologies (PETs) to help them manage the complexity of privacy requirements while still efficiently meeting corporate objectives. Today’s technology enables critical privacy functions like consent and preference management, individual rights handling, data mapping, encryption and anonymization, and data retention or deletion. As manual management becomes costlier and the risks of non-compliance grow with stricter enforcement and penalties, the case for investing in privacy tech becomes not just smart, but essential.

That said, PETs are continuously improving, and with the advancement of AI, new efficiencies hit the marketplace all the time. By partnering with other stakeholder groups that may also benefit, like Marketing and Information Security, a privacy compliance function that reviews new benefits and lower cost structure for PETs will be prepared with internal alignment and budget for a successful year ahead.  

5. Audit notice and consent

Every organization that collects and uses personal data should regularly (and at least annually) review its end-to-end consent and preference experience, along with any related notices.  

A careful review will not only catch opportunities to improve the experience for consumers, but it will also answer compliance questions like, “what did the consumer agree to here and how do we enforce that consent downstream in our processes?” and “is the notice we provide related to this consent compliant with requirements, complete, accurate, and timely?” 

During this review, an organization will also want to consider how it operationalizes consents and preferences and the confidence it has in its back-office oversight of applying the rules effectively.  

This is the point at which many compliance and marketing functions realize that the complexity and compliance pressure of consent management have reached the tipping point of needing a consent management platform.  

Whether a homegrown or vendor-provided solution, there are few companies that can collect, apply, and meet record-keeping and other requirements for consents and preferences without technology.  

6. Review cookies

Websites add and remove cookies and other trackers frequently. Most organizations find it useful to review cookies and align those cookies and their category (e.g. required, functional, advertising) in their cookie consent tool. The second half of the year may also be a suitable time to consider the company’s cookie strategy overall, and whether it may make sense to move to a first-party data and consent-driven strategy. 

7. Identify privacy trends

Metrics related to individual rights management, privacy inbox questions/complaints, consumer unsubscribes, and other privacy processes can provide enormously useful data points for any company interested in improving practices.  

For example, if many customers unsubscribe after a particular marketing campaign, knowing that fact may help the company identify a problematic campaign and avoid repeating it. If multiple consumers write into the privacy email box to complain about a particular practice, this information will help the company adjust to improve customer satisfaction.  

If one third party consistently applies individual rights requests late or not at all, this information will be useful to know and for which to solve. In this way collecting data points about privacy activities will help improve customer experience, internal processes, efficiency, and overall compliance.  

8. Review privacy culture and awareness

A privacy culture is not just about an annual online training that everyone must complete. Smart organizations regularly consider privacy risk areas, gaps in employee awareness or understanding, and collaboration opportunities across all functions related to personal data and privacy.

Armed with this information, the company can prepare for any remediation efforts in the next year, whether that is enhanced or different training, a communication plan, joint privacy efforts, or other measures.

9. Refine and document privacy processes

Over time, any organization will naturally refine how it does things, and privacy processes are no exception to process changes. The latter part of any year is a reasonable time for a company to document new and changed processes. Not only is this good compliance hygiene, but it also helps a company reduce internal uncertainty, increase scalability, and reduce overall risk.

10. Refine and document privacy processes

As companies attempt to reduce costs and distractions away from core business activities, and as the complexity of the marketplace requires more expertise to manage processes, they often turn to third parties.

The more third parties, the more difficult it is to ensure that third party has signed the right data protection agreements, successfully completed the right data protection diligence tests, fulfils its data protection obligations through the course of the relationship, and has deleted or returned any personal data at the end of the relationship.

These are all reviews that a company should perform at least once a year to help ensure that its privacy and security standards apply throughout its chain of responsibility.