AI Product Privacy Readiness Checklist

Use this gate before shipping or updating any AI-powered feature. Each section highlights the minimum artifacts compliance teams expect when they review your product.

1. Data Inventory

• List every data source (uploads, transcripts, logs, user metadata).
• Mark personal vs. non-personal data and define retention windows.
• Track third-party processors (OpenAI, Pinecone, etc.) with executed DPAs.

2. Legal Basis & Consent

• Document lawful basis per region (GDPR, CCPA, LGPD, etc.).
• Map every consent touchpoint (marketing site, product, contracts).
• Ensure opt-out or deletion flows are documented and testable.

3. Transparency

• Publish an AI usage statement that covers purpose, models, and limitations.
• Update Privacy Policy & Terms with AI-specific language.
• Share how you handle datasets, prompts, and human-in-the-loop review.

4. Risk & Safety Controls

• Complete a DPIA or lightweight risk assessment for every feature.
• List safeguards (rate limits, abuse detection, human escalation).
• Maintain an incident response playbook with breach-notice timelines.

5. Individual Rights

• Provide a DSAR intake (email alias or secure form).
• Assign owners and SLAs for access, deletion, correction, and opt-out.
• Keep pre-approved response templates for each request type.

6. Vendor Management

• Store signed DPAs and security summaries for every AI vendor.
• Review vendor practices quarterly (and capture re-verification dates).
• Track downstream sub-processors used by your vendors.

7. Review Cadence

• Schedule quarterly policy reviews with accountable owners.
• Log the last audit date and open remediation items.
• Record lessons learned when incidents, DSARs, or audits occur.