Product managers often balance speed, scope, and stakeholder expectations, with privacy relegated to a lower priority or handed to legal. However, addressing privacy concerns during planning stages proves far more cost-effective than mid-sprint corrections.
Here are three scenarios that should trigger a privacy review before development begins.
You're Collecting a New Type of Data
Adding a feature that captures something you haven't collected before is one of the clearest privacy triggers there is. New data categories, whether biometrics, location information, or health-adjacent data, may shift your legal obligations significantly.
If your organisation has existing Privacy Impact Assessments or Data Protection Impact Assessments, a delta assessment is appropriate. The right questions to ask: what is new here? What additional purposes apply? Are there legislative requirements we haven't previously encountered? These deserve early attention, not a retrospective checkbox after the feature ships.
You're Sunsetting a Feature
Feature retirement announcements typically trigger waves of data subject requests. When 23andMe faced acquisition, deletion requests overwhelmed their systems. That's an extreme example, but the pattern holds at every scale.
Teams must prepare for an increased volume of deletion requests when any significant feature is being wound down. Manual processes become operational bottlenecks quickly. Responsible product management means anticipating that demand surge and having a plan before the announcement goes out, not after.
You're Moving Into a New Region or Transferring Data Across Borders
Expanding into new markets raises significant privacy implications. When personal data crosses borders, particularly from the EU, UK, Quebec, or similar jurisdictions, transfer impact assessments and appropriate safeguards typically become legally required prerequisites, not optional due diligence.
Product and privacy teams need to collaborate on this one. Product teams understand where data is going and why. Privacy teams know the transfer requirements. Neither can do it alone, and leaving it until the feature is already being built is leaving it too late.
These three scenarios appear regularly in healthy product roadmaps. Asking the right questions at the right time mitigates substantial risk and keeps the sprint moving. Asking them after launch does neither.