Privacy by design is not a mindset — it's a set of operational decisions that either exist in your workflows or don't. In Cadenio, it starts at the template level: required fields for lawful basis, purpose, and retention whenever personal data is processed. Not optional fields. Required ones.
High-risk processing changes need approval gates. New integrations, cross-border transfers, expanded data collection — these should require a named reviewer to explicitly approve before the work proceeds. That decision, and the reasoning behind it, should live in the audit trail. Not in an email.
Rights requests and deletion operations need dedicated flows with ownership and SLA. When you treat these as tickets, you lose sequencing, you lose evidence, and you lose the ability to demonstrate compliance. When you treat them as operational workflows, they become measurable.
New product features that process personal data shouldn't go live without a privacy checkpoint. This is uncomfortable to enforce — engineers want to ship, and 'waiting for privacy review' feels like friction. But a single feature launched without a lawful basis on record is a finding. Treat the checkpoint as a gate, not a suggestion.
Privacy KPIs should be reviewed weekly by product and operations — not just surfaced in quarterly legal reviews. Overdue rights requests, pending deletion actions, incident-response lead time. These are operational health metrics. Assign them accordingly.