I don’t determine compliance alone, but I make sure every feature respects privacy from the start.
The rules I enforce
- Data classification: every field is labeled personal, sensitive, or public.
- Minimization: systems only keep what they need and purge data according to a clear policy.
- Traceability: every access to sensitive records is logged alongside a justification.
We write simple policies (e.g., "sharing customer data needs a manager sign-off"), automate exports, and test compliance in CI pipelines.
A constant mindset
Compliance is not a sprint. Consent banners need to work, deletion flows must be reliable, and review processes must stay visible. Incidents become learning opportunities to update policies and rewrite runbooks, not crises.