Compliance and privacy policy

Who this is for

Founder led lower-middle market companies with 5 to 50 million in annual revenue that handle customer data or operate in regulated sectors.

The quick answer

Publish a short, plain policy set. Code of conduct, privacy policy, data handling and retention, access control, incident response, vendor risk, and request handling for data subjects. Name a privacy officer, train staff each year, and keep a log of incidents and corrections. Use a standard data protection addendum with vendors.

The method in eight steps

Define the policy set
Code of conduct. Privacy policy. Data handling and retention. Access control. Incident response. Vendor risk. Data subject request handling.
Appoint a privacy officer
Give clear authority and time. List the officer in policies and on your site.
Inventory data and flows
Map what you collect, where it lives, who can see it, and where it moves. Classify sensitivity so rules are proportionate.
Write simple rules
Use plain words. Explain how to collect, store, access, and delete data. State retention periods and disposal methods.
Vendor due diligence
Use a short checklist before adding a vendor. Store data protection addenda with contracts.
Incident response
Document roles, timelines, and first steps. Test the plan twice a year.
Train and attest
Run annual training with short refreshers. Record completion.
Log and review
Keep an incident and request log. Review quarterly and record corrections.

Example

A services firm published a plain policy set, mapped data flows, and trained staff. An access error was logged and fixed in one day, which built trust with a key customer.

Pitfalls and fixes

Long policies nobody reads. Keep them short and specific.
Vendors without addenda. Standardise the data protection addendum.
No logs. Track incidents and requests and review fixes.

Checklist

Policy set published
Privacy officer named
Data flows mapped
Vendor checklist and addenda
Incident plan and drills
Training and logs