The GDPR and other laws require privacy by design, but it remains a broad imperative without firm standards. Companies aiming to comply now often conduct a technical privacy review (TPR) as a step before a better-known exercise, the privacy impact assessment. At the recent International Association of Privacy Professionals Global Privacy Summit, prominent privacy engineers from DoorDash, Meta, Microsoft and Uber performed a simulated TPR that examined a consumer app’s reliance on a large language model. This article distills the simulation’s interview dialogue and resulting action items, as well as the speakers’ advice for conducting TPRs. See “Effective Use of Privacy Impact Assessments” (May 4, 2022).