Compliance with Regulatory & Legal Requirements
Overview
Glen Willis and Arthur Mansourian cover the basics of getting compliant without grinding work to a halt. Start by mapping where personal data lives, match laws to your audience, give clear ownership, and bake checks into delivery. Support teams with simple guides and measure what matters.
- Know your data stores, flows, access, and retention.
- Match laws to people and places, such as GDPR for EU data and CCPA for California.
- Assign roles using RACI so decisions and actions are clear.
- Use PIAs, vendor reviews, and scheduled checks to stay on track.
- Track metrics like DSR response time and PIA coverage to show progress.
Transcript
Glen Willis
Hello, I’m Glen Willis, Director of Cyber Technology at Kalles Group. I’m here with two of our wonderful privacy consultants, Arthur Mansourian and Ajay Prasad. We’ve planned a series of topics to talk through that we hope you find helpful in understanding ways to set up for success with your privacy programs.
Arthur, turning to you next, let’s talk for a few minutes about compliance with regulatory and legal requirements. Depending on the type of business or the sector or industry, this could involve a whole host of different requirements. So talk to us about how to start down this path. Maybe we’ll talk about how to mature later, but for organizations: how do they make sure they know exactly which legal and regulatory requirements they’re exposed to? Who normally takes the lead in identifying those, communicating them, and driving implementation?
Arthur Mansourian
Thank you, Glen. Yes, that’s a very good point you brought up, and it really does change depending on the organization’s size and structure.
Basically, when you look at it, this is a major concern for any company or group that collects or processes personal information. Typically, the General Data Protection Regulation in Europe is the go to regulation for ensuring compliance. In the United States, the most prevalent and strictest is the California Consumer Privacy Act, or CCPA. While it’s specific to California, it has become a very important measure, along with similar laws in other states.
These regulations are about protecting the people whose data is being used. One helpful starting point is mapping out every place the company holds personal data, where it’s stored, who it’s shared with. You need to know who has access to it, how it’s secured, and how long it’s kept.
Once you have this map, you can create a plan that sets the rules and methods for handling the data. This should cover how you gather information, obtain consent, protect the data, and eventually remove it. It’s also important to train staff so everyone understands why these rules matter and how to follow them.
In terms of knowing which regulation to follow:
- If you’re processing data from people in Europe, GDPR likely applies.
- If it’s people in California, then CCPA applies.
As for who takes the lead, it depends on the company size. Larger companies may have a Chief Privacy Officer or Privacy Director. Others may appoint a Data Protection Officer. These individuals monitor new laws and regulatory updates and share that information across the company.
If there’s no dedicated privacy role, businesses often rely on outside consultants like us to stay on top of changes in the privacy space. Sometimes, that outside help is essential.
Glen Willis
Once you’ve identified which requirements need to be accounted for, and let’s say it’s a net new initiative, how do you balance holding the organization accountable for compliance with providing the support they need to get there?
Arthur Mansourian
Absolutely, that’s a great question. And yes, it’s definitely a balance. Organizations are busy, they’re focused on doing business, so it’s important to help them meet privacy requirements without overwhelming them.
The first step is clear ownership and defined roles. Responsibility needs to be assigned to a specific individual, whether it’s a consultant, a Chief Privacy Officer, Privacy Analyst, Privacy Manager, or a Data Protection Officer.
As Ajay actually mentioned, using a RACI matrix is very helpful, defining who is Responsible, Accountable, Consulted, and Informed. This helps clarify who makes decisions, who implements policies, and who ensures compliance across departments.
Leadership support is also key. These efforts can be cumbersome, so it’s important that leadership understands the risks of non compliance, fines, reputational damage, etc.
Building privacy into everyday processes is essential. It shouldn’t feel like a burden. For example, if you’re designing a new feature, privacy should be considered from the beginning, not retrofitted later.
You can also schedule compliance checks at specific intervals, like privacy impact assessments or vendor reviews. And it’s important to offer guidance, not just rules. Clear, easy to follow guidelines, templates, checklists, and training help employees understand how to comply, rather than just being told what they did wrong.
Finally, metrics and audits are key. Set privacy metrics, like time taken to respond to a data subject request, or the number of privacy impact assessments completed versus needed. Combined with a strong privacy culture, these tools go a long way in empowering teams with the knowledge and resources they need.