Start with seven questions
- What personal data do you collect?
- Why do you collect it?
- Where is it stored?
- Who can access it?
- Which vendors process it?
- How long do you keep it?
- What will you do if it is exposed, lost, or misused?
Answer these before reaching for a policy template.