# SMB Data Privacy Checklist **TechEd Analyst Template | Version 1.0** > Use this as a starting point to get organized. It is not a compliance determination and does not tell > you which laws apply to you — that depends on your specific business and is a question for your > attorney. --- ## 1. Data inventory — what you hold - [ ] We have a written list of the types of personal data we collect. - [ ] We know why we collect each type (the business purpose). - [ ] We know which data is "sensitive" ([health], [financial], [biometric], [precise location], etc.). - [ ] We collect only what we use ([review and trim annually]). ## 2. Storage & access — where it lives, who can reach it - [ ] We know where each type of data is stored ([tool/system]). - [ ] Access is limited to people who need it ([roles]). - [ ] We have a way to delete data when it's no longer needed. - [ ] Backups and exports are accounted for, not forgotten. ## 3. Vendors & tools — what your tools do with your data - [ ] We have a list of vendors/tools that touch personal data. - [ ] We've checked what each vendor does with the data ([read the data terms]). - [ ] We know which tools use our data to train AI/LLMs, if any. - [ ] We have agreements or terms on file for the vendors that matter. ## 4. Internal handling — team rules - [ ] We have a written rule for what staff may and may not paste into AI tools. - [ ] New team members are told the data rules ([onboarding step]). - [ ] There's one named owner for data questions ([owner]). ## 5. Incident basics — if something goes wrong - [ ] We know who to call first ([owner], [attorney]). - [ ] We have a rough plan for notifying affected people if required ([check with counsel]). - [ ] We log what happened and what we changed. --- > This is a customizable operational checklist for general use. It is not legal, financial, or > compliance advice, and completing it does not make your business compliant with any law. You are > responsible for how you apply it. For obligations specific to your business, consult a licensed attorney.