Include privacy as a Design Input, one of many, that must be accounted for in the overall design solution. The design outputs will ultimately be verified against the inputs. Besides the ISO cite above, you probably have a HIPAA requirement and others you are thinking about. I am not sure you need a procedure; just call it an input and the Design Controls should address it via the detailed design and design verification.