In partnership with
Maybe you’ve already heard this, but the California Consumer Privacy Act (CCPA) has some new privacy and security audit requirements coming into effect starting next year for large businesses and subsequent years for smaller companies. If you haven’t started thinking about how you’ll prove that you run privacy trainings, manage vendor risk, and honor user choices, now is probably the time.
You will need better evidence than “I’m pretty sure we did that” when your independent auditor submits prepares the report and makes one of your executives personally attest to it.
Audits are the moment when even the most confident privacy professional realizes that compliance is not just doing the work but being able to prove you did the work, especially when someone else is setting the timeline and asking for receipts.
The evidence index (also called a master artifact register) is how you stop relying on institutional memory and start relying on a system.
Smart starts here.
You don't have to read everything — just the right thing. 1440's daily newsletter distills the day's biggest stories from 100+ sources into one quick, 5-minute read. It's the fastest way to stay sharp, sound informed, and actually understand what's happening in the world. Join 4.5 million readers who start their day the smart way.
Why evidence is the unsexy secret to provable privacy
Evidence matters because third parties can’t grade what your organization intended to do. They can only grade what you actually did, and just like that math test in high school, you must show your work.
Auditors, insurers, enterprise customers, and regulators (basically anyone who might be asking for evidence) will all ask some version of the same thing… show me how your program works. If you can’t answer with evidence, you lose time and credibility.
An evidence index is simply a structured list of your program artifacts, including what they are, who owns them, where they live, and when they were last updated.
What belongs in an evidence index
You do not need to index every communication about your privacy program, but you should be indexing the artifacts that show the program is designed, implemented, and improving. Some evidence types might include:
Governance: charter, roles and RACI, decision rights, policy governance standard
Operational registers: data inventory, vendor register, PIA register, DSR log
Controls: retention schedule, deletion SOP evidence, consent configuration evidence
Readiness: tabletop reports, incident decision logs, executive update templates
Training: training plan, completion logs, role-based outlines
Don’t turn your evidence index into a bureaucratic nightmare
Your evidence index will go from helpful guide to horrifying hindrance if it ends up becoming a second job. If updating the index is harder than doing the work, nobody will maintain it, and outdated index might just be worse than not having one at all.
The fix is to make the index a lightweight wrapper around things you already do. When you update a policy, you update the index entry. When you complete a tabletop, you add the report. When you run training, you attach the completion log.
The index should also have a few key fields: artifact name, domain, owner, location, last updated, review cadence.
Evidence routines are the secret to keeping it current
Evidence freshness is what separates a living program from a shelf program. The easiest way to keep evidence fresh is to schedule small routines, including adding evidence updates into your standard operating procedures.
Examples: monthly check that key registers were updated, quarterly evidence snapshots for consent/cookies, annual review of policies and training. Routines need to be consistent and owned, but keep them as lightweight as possible.
What you get when evidence is easy
When your evidence index is maintained, you answer questionnaires faster. You prepare for audits faster. You brief leadership faster. You negotiate vendor contracts with more confidence. You also sleep better.
This is the paradox of evidence: it feels like overhead until you need it. Then it feels like oxygen.
Become a paid subscriber to get access to all of the mini tools that we publish with each post. For instance, this post includes an Evidence Routine Checklist
Finally, reminder that the opinions expressed in this article are the opinion of The Privacy Design Lab. They are not legal advice, and no attorney-client relationship is formed by reading this article or downloading the Evidence Routine Checklist. If you need to consult legal counsel, you can book a consult with ARLA Strategies or other legal counsel you trust!
If you’re tired of privacy advice that only works in theory, you’re in the right place.
The Privacy Design Lab exists for people who want to practice privacy, not just talk about it. It focuses on practical, repeatable ways teams actually learn. We offer hands-on workshops, downloadable systems, and the Design Studio community where teams and practitioners can go deeper. Paid Fieldnotes subscribers get access to our full archive, plus supporting materials you can actually use.
If that sounds like your kind of work, we’d love to have you.