Today is my dad’s birthday. And if you have been following along for awhile, you know he recently passed away. So much of me and my approach to business is because of him so seems fitting to share one of his older professional pictures.
In issue #10, I shared more about him and his philosophy of Do Your Best (DYB). In this issue, we’re going to talk about what you may have done in Q1 and how to plan the rest of the year. In his honor, ask yourself what does DYB look like for your privacy program for the rest of the year?
Are you headed to the IAPP Global Privacy Summit? I’ll be there mid-day Monday and also attending the IAB Public Policy & Legal Summit.
Send me a message if you’re there so we can meet up. Be on the lookout for the rest of our Red Clover team too!
After the conference, we’ll send a summary of what we heard on the ground from regulators and industry pros.
We are at the end of Q1 2026. And if you are like most privacy and compliance professionals I talk to, your Q1 to-do list looks a little like a highlight reel of good intentions.
The data mapping project that was going to finally get done this quarter? Still in progress. The vendor contracts that needed updating? Partially tackled. The employee training refresh? On the calendar for April. The policy review? Everyone agreed it needed to happen. Nobody has started.
This newsletter is not here to make you feel bad about that. It is here to help you actually do something about it. Here are the most common areas where we see companies slip, along with a suggested action step to course correct for the rest of the year.
Seven Things That Slipped in Q1 and What to Do About Each One
Data mapping and inventory.
Your data map is the foundation of almost every other privacy activity. Without it, you are making decisions in the dark.
Next step: Schedule a 60-minute working session with IT, marketing, and operations. Come prepared with three questions: what personal data do we collect, where does it live, and how long do we keep it. You do not need a perfect map. You need a starting point.
Vendor contract reviews.
New vendors onboarded without data processing agreements are a compliance gap that compounds over time.
Next step: Pull a list of every vendor onboarded in the last 12 months. Flag any without a signed DPA. Pick the top five by data sensitivity and get agreements in place before the end of Q2.
Employee training.
High completion rates are not the same as effective training. If your content has not been updated since your last major policy change, it is already stale.
Next step: Pick one team that regularly handles personal data, such as customer service, marketing, or HR, and run a 15-minute refresher (it can even be a pre-recorded video) this month. Role-specific and brief beats company-wide and ignored every time. Follow on social to catch a podcast episode releasing in April where, as a guest, I talked about this very topic.
Risk assessments and PIAs.
Every new product, tool, or process that touches personal data may need a privacy review. If your team has been moving fast, reviews have likely not kept pace.
Next step: Meet with each department to give you a list of new tools or projects launched in Q1. An old fashioned meeting is the way to go to hear what’s being worked on. Cross-reference against completed PIAs. Whatever is on the first list but not the second is your Q2 assessment queue.
Privacy notice updates.
Your privacy notice is a public commitment. If your actual data practices have changed and your notice has not, those two things are out of sync. Regulators and customers check these first.
Next step: Read your current privacy notice as if you are a customer who knows nothing about your business. Does it accurately reflect what you actually do today? If not, flag the gaps and get legal or outside counsel involved to update it.
Consumer rights request process.
Can anyone at your company describe exactly what happens from the moment a request comes in to the moment it is fulfilled?
Next step: Submit a test request to your own company right now. See what happens. How long does it take to receive a response? Who handles it? Where does it go? You will learn more from that exercise than from any process document.
Policy reviews.
Privacy policies, data retention schedules, and acceptable use policies all need regular review. If yours have not been touched in a year or more, they are almost certainly behind.
Next step: Put a recurring 90-minute policy review on the calendar for June and December. Assign one owner. That is all it takes to turn a reactive scramble into a consistent habit.
Here’s a handy graphic pulling all of this together (print or save it!)
Why Measuring Your Program Makes All of This Easier
Here is where metrics come in and not as a reporting exercise, but as a practical tool for deciding where to focus first.
According to the Cisco 2026 Data Privacy Benchmark Study, 99% of organizations report measurable benefits from their privacy investments, with enhanced agility and innovation now leading as the top reported outcome. Privacy done well is not just a compliance cost. It is a business advantage.
Here are a few other super handy stats from the report too:
Companies can only manage what is measured. And the data that tells you where to focus is often already sitting in your systems. If you bring a Q1 update to leadership, connect these numbers to what they care about.
A few sample numbers worth pulling as you plan Q2:
- How many consumer requests came in during Q1, and how long did they take to resolve? If response times are stretching, that is a process problem that compounds.
- How many projects required a PIA versus how many actually got one? That gap is your risk exposure.
- What percentage of active vendors have current, signed data processing agreements? If you do not know, finding out is a priority.
Cisco also found that 95% of organizations say robust privacy frameworks are essential for maintaining customer trust, and 94% say privacy investments make their organization more attractive to investors.
Frame your program’s performance around those outcomes, not compliance checkboxes.
Staying Ahead of What Is Coming
Even as you work through your Q1 backlog, the regulatory landscape keeps moving, and new states are passing laws, amendments, and new requirements are kicking in (hello CCPA Privacy Risk Assessments).
The most practical thing you can do right now is build a simple regulatory calendar – a living document that answers three questions: what laws or amendments apply to us, when do they take effect, and what do we need to do before then.
Assign one person to own the regulatory calendar. Review it at the start of every quarter. Update it when things change. That single habit will do more to keep your program current than any reactive scramble after the fact.
A few things belong on every regulatory calendar right now:
The Rest of the Year in Plain Terms
Q2 is for closing the gaps Q1 left open. Pick the two or three items from the list above that carry the most risk and get them done before June.
Q3 is for making your program more resilient. Build process documentation. Cross-train so the program does not depend on one person. Build the processes that let your program scale without breaking.
Q4 is for looking ahead. What do you need for 2027? What budget do you need, and what data from this year supports that ask? Set your goals now so that next Q1 you have something to point to. It will be here quickly (scary, I know).
Here’s a suggested roadmap. In this general newsletter to thousands of people, I can’t tailor it to each company. I encourage you to take this approach and think about what’s on your to do list and how to get it done across the rest of the year.
The Bottom Line
Privacy programs are never fully done. There is always another law, another vendor, another project that needs a review. That is not a failure of your program. That is the nature of the work, and as my dad would say, do your best at making it the most effective it can be.
We LOVE creating these privacy program roadmaps. If this feels overwhelming (which we hear often) and you need help or an external opinion, send me a note and let’s talk.
Q1 had its unfinished business. Q2 is your chance to change that. Pick one thing from the list above and do it this week. Not next month. This week.
What is the one privacy task you have been putting off the longest? Reply with your comments. I have a feeling you are not alone.
And remember, if you’re at IAPP come find me so we can say hi #IRL.
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.