Three Things on Your Product Roadmap That Should Raise a Privacy Flag

If you're managing a product roadmap, you're used to balancing speed, scope, and stakeholder expectations. Privacy, I find, tends to get slotted in somewhere near the bottom of that list, or handed off entirely to legal with a "they'll catch it." The problem is that by the time legal catches it, you're already mid-sprint, and the fix is significantly more expensive than it would have been at the planning stage.

There are three triggers in particular that I tell product teams and their leadership to watch for. Spot any of these on your roadmap, and privacy needs a seat at the table before development starts, not after.

You're collecting a new type of data

Adding a feature that captures something you haven't collected before is one of the clearest privacy triggers there is. It doesn't matter whether it's biometrics, location data, health-adjacent information, or something that feels innocuous on its own. The moment you start collecting a new category of personal information, your obligations may shift.

If you already have a Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA) in place, this is the point where you run a delta assessment. What's new? What additional purposes does this data serve? Are there additional legislative requirements that now apply? These are not necessarily difficult questions, but they do need to be asked, and asked early.

You're sunsetting a feature

This one catches teams off guard more often than it should. When you publicly announce that a feature or product is being retired, you tend to trigger a wave of data subject requests. People want to know what you have on them, and they want it deleted.

Think about what happened when 23andMe went under and was acquired. The company was hit with a significant influx of deletion requests that took their systems down. That's an extreme example, but the pattern is real and it plays out at smaller scales regularly. If your engineering team isn't prepared to handle that volume, or your data subject request process is still largely manual, a sunsetting announcement can create a very visible operational problem very quickly. Anticipating that demand is part of responsible product management.

You're moving into a new region or transferring data across borders

Expanding into a new market is exciting. The privacy implications of that expansion are, admittedly, less so. But they are very real. The moment personal data crosses a border, particularly out of the EU, UK, Quebec, or other jurisdictions with transfer restrictions, you are likely required to complete a Transfer Impact Assessment and have appropriate safeguards in place before that transfer happens.

This is an area where product teams and privacy teams genuinely need to work together. The product team knows where the data is going and why; the privacy team knows what's required to make that transfer lawful. Neither team can do this one alone.

None of these are obscure edge cases. They're the kinds of things that show up in a healthy product roadmap all the time, and they each carry real risk if the right questions aren't asked at the right time.

If your team could use a hand building out a privacy-aware product review process, or you'd like me to come and walk your product and engineering teams through what to look for, feel free to get in touch. It tends to be a much easier conversation before the sprint starts than after.