Start with seven questions

  1. What personal data do you collect?
  2. Why do you collect it?
  3. Where is it stored?
  4. Who can access it?
  5. Which vendors process it?
  6. How long do you keep it?
  7. What will you do if it is exposed, lost, or misused?

Answer these before reaching for a policy template.