You Don't Need a Perfect Privacy Program. You Need to Start One.
There's a conversation I find myself having surprisingly often with founders and CTOs at growing tech companies. It goes something like this: "We know we probably need to look at privacy, but we're not processing that much personal data yet" or "we're not ready to take on something that big." And so the program gets shelved. Indefinitely.
The irony is that waiting until you feel "ready" is one of the riskier positions you can take.
Here's what regulators and privacy commissioners are actually looking for when they come knocking. They're not expecting a Fortune 500-grade privacy operation from a 30-person software company. What they are looking for is evidence that you've thought about privacy, that you've started doing something about it, and that there's a reasonable plan in place to keep improving. The distinction matters enormously.
If you look at the OECD Privacy Principles, accountability is one of the key principles. And accountability, at its core, means documentation. It means being able to show that a program exists, that someone owns it, and that there's a roadmap for where it's going. You don't need to have crossed every item off that roadmap. You need to have one.
The same thread runs through GDPR, PIPEDA, and most of the other major privacy frameworks you'll encounter as a software company with clients in regulated markets. Accountability is both a foundational principle and, in many cases, a legal obligation. And the bar for demonstrating it is lower than most people assume. A data inventory, a basic privacy policy, a documented process for handling access requests, and a written plan for what comes next can go a very long way.
Where companies get into trouble is in the all-or-nothing thinking. They look at what a mature privacy program looks like at a large enterprise and decide the gap is too wide to close, so they don't start at all. A regulator finding no program, no documentation, and no evidence of intent will be a very different conversation than one finding a modest but genuine effort underway.
The size and nature of your business matters here too. A startup processing a modest amount of customer data does not need the same infrastructure as a bank. There are obligations you must meet regardless of your size, but the way you meet them can and should be right-sized to where you actually are. A tight, practical program that fits your stage of business is far more valuable than a sprawling framework that no one follows because it wasn't built for you.
The practical starting point is simpler than you'd think: know what personal data you hold, know why you hold it, have a basic policy in place, and document that someone is accountable for the program. From there, you build. Incrementally, deliberately, and in proportion to your growth.
If the capacity to get this started simply isn't there internally, that's a completely reasonable place to be. This is exactly the kind of engagement I take on as a fractional privacy advisor: coming in, doing the groundwork, and building something that fits your company at the stage you're at right now, not the stage you'll be at in five years. I'm also available to speak to your team directly about what a right-sized privacy program looks like in practice, which tends to shift a lot of the "this is too big for us" thinking pretty quickly.
If you're not sure where to start, feel free to reach out. Sometimes the first conversation is the only thing standing between you and a program that actually works.