Your Compliance Obligations

Compliance frameworks exist because industries proved they couldn’t govern themselves. Health records were mishandled, credit cards were stored in plain text, financial executives cooked the books, and personal data was treated like a commodity with no rules. Regulations followed. They’re the floor — the absolute minimum standard of care. If you’re handling other people’s data, money, or health information, this is what you owe them. Here’s how to figure out which rules apply to you and what you actually need to do.

DO / DON’T

DO:

• Map your data first — Know what you collect, where it goes, and who touches it. You can’t comply with data protection rules if you don’t know where the data is.
• Treat compliance as the starting line — Meeting minimum requirements doesn’t make you secure. It makes you minimally defensible. Build beyond the floor.
• Document everything — Policies, risk assessments, access reviews, training records. Auditors want evidence, not assurances. If it isn’t documented, it didn’t happen.
• Assign ownership — Every compliance requirement needs a named owner. Not a team — a person. Accountability disappears in committees.
• Review annually at minimum — Regulations change. CCPA became CPRA. PCI-DSS moved to version 4.0. Your compliance posture needs to keep up.
• Get legal advice for your specific situation — This guide gives you the map. A qualified attorney helps you navigate the territory.

DON’T:

• Don’t assume compliance doesn’t apply to you — If you process EU resident data from Texas, GDPR applies. If you handle a single credit card number, PCI-DSS applies. Scope is broader than you think.
• Don’t treat compliance as a one-time project — It’s continuous. Point-in-time audit compliance decays within weeks if you’re not maintaining controls.
• Don’t ignore third-party risk — Your vendors’ compliance posture affects yours. BAAs, DPAs, and vendor security assessments aren’t optional.
• Don’t hide behind “we didn’t know” — Regulators expect organizations to understand their obligations. Ignorance isn’t a defense — it’s an aggravating factor.

GDPR Checklist

Applies to you if: You process personal data of EU/EEA residents, regardless of where your organization is based.

Key Requirements

• [ ] Establish a lawful basis for each processing activity — Consent, legitimate interest, contractual necessity, legal obligation, vital interests, or public task. Document which basis applies to each type of data processing.
• [ ] Provide clear privacy notices — Tell people what you collect, why, how long you keep it, and who you share it with. Plain language, not legalese.
• [ ] Implement data subject rights processes — You must respond to access, rectification, erasure, portability, and objection requests within 30 days. Build the internal process before the first request arrives.
• [ ] Appoint a Data Protection Officer (DPO) — Required if you’re a public authority, conduct large-scale monitoring, or process sensitive data at scale. Even if not required, having a privacy point of contact is smart.
• [ ] Conduct Data Protection Impact Assessments (DPIAs) — Required for high-risk processing. New systems, new data types, new third-party integrations — assess before you deploy.
• [ ] Implement breach notification procedures — 72 hours to notify the supervisory authority. No hiding it. No waiting for the PR team to craft a statement. 72 hours from awareness.
• [ ] Execute Data Processing Agreements (DPAs) — Every vendor that processes personal data on your behalf needs a DPA. Cloud providers, analytics tools, CRM platforms — all of them.
• [ ] Implement privacy by design and default — Data minimization, purpose limitation, and storage limitation baked into system design. Collect only what you need. Delete what you don’t.
• [ ] Maintain Records of Processing Activities (ROPA) — Document what personal data you process, why, legal basis, retention periods, and any cross-border transfers.

Common Gaps

• Consent mechanisms that don’t meet GDPR standards (pre-checked boxes, bundled consent, no granular options)
• No process for handling data subject access requests within the 30-day deadline
• Cross-border data transfers without adequate safeguards (post-Schrems II, Standard Contractual Clauses are the primary mechanism)
• Retaining data longer than the stated purpose requires

Quick Wins

Start with your Records of Processing Activities. This exercise alone reveals what data you have, where it flows, and where your gaps are. Update your privacy policy to be actually readable. Review your cookie consent implementation — most fail basic GDPR requirements.

HIPAA Checklist

Applies to you if: You’re a covered entity (healthcare provider, health plan, healthcare clearinghouse) or a business associate of one, handling Protected Health Information (PHI) in the United States.

Key Requirements

• [ ] Conduct a security risk assessment — HHS requires this explicitly. The most commonly cited HIPAA deficiency. Do it annually.
• [ ] Implement access controls — Unique identifiers for every person who accesses ePHI. Role-based access. Automatic logoff. Encryption for data at rest and in transit.
• [ ] Execute Business Associate Agreements (BAAs) — Every vendor touching PHI needs one. Cloud providers, billing services, document shredders, IT support. No BAA, no PHI access.
• [ ] Implement the minimum necessary standard — Only access the PHI you need to perform your job function. Broad access to patient records is a violation waiting to happen.
• [ ] Deploy audit controls — Log access to ePHI. Review logs regularly. Know who accessed what and when.
• [ ] Establish breach notification procedures — Individual notification within 60 days of discovery. Breaches affecting 500+ individuals must be reported to HHS OCR and posted publicly.
• [ ] Develop and maintain policies and procedures — Administrative, physical, and technical safeguards. Document them. Train staff on them.
• [ ] Conduct workforce training — All workforce members with PHI access must receive HIPAA training. Document completion.
• [ ] Implement physical safeguards — Workstation security, device and media controls, facility access controls.

Common Gaps

• No documented risk assessment (the single most cited HIPAA deficiency in enforcement actions)
• BAAs missing for vendors who clearly handle PHI
• Lack of encryption on portable devices containing ePHI (laptops, USB drives, phones)
• Insufficient access logging and review
• Workforce members accessing records outside their job function (the curiosity problem)

Quick Wins

Start with the risk assessment — HHS provides a Security Risk Assessment Tool specifically for smaller practices. Encrypt all portable devices and removable media. Audit your BAA inventory against your actual vendor list.

PCI-DSS Checklist

Applies to you if: You store, process, or transmit credit card (cardholder) data. This includes e-commerce sites, point-of-sale systems, and any system that touches card numbers.

Key Requirements

• [ ] Define your cardholder data environment (CDE) — Identify every system that stores, processes, or transmits cardholder data and every system connected to those systems. Reducing scope reduces burden.
• [ ] Install and maintain network security controls — Firewalls, network segmentation, access control lists between the CDE and everything else.
• [ ] Protect stored cardholder data — Don’t store what you don’t need. Mask PANs when displayed. Encrypt stored data. Never store CVV, full magnetic stripe data, or PIN data after authorization.
• [ ] Encrypt cardholder data in transit — TLS 1.2 minimum for data crossing public networks. No unencrypted transmission of card numbers.
• [ ] Implement strong access controls — Restrict access to cardholder data by business need to know. Unique IDs for every person with access. Multi-factor authentication for administrative access.
• [ ] Maintain a vulnerability management program — Deploy anti-malware. Keep systems patched. Develop secure software if you build applications that handle card data.
• [ ] Test security regularly — Quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Annual penetration testing. Wireless network scans if applicable.
• [ ] Maintain an information security policy — Covering all 12 PCI-DSS requirement areas. Reviewed annually.
• [ ] Log and monitor all access — Centralized logging of all access to network resources and cardholder data. Retain logs for at least one year, with three months immediately available.
• [ ] Determine your validation level — Level 1 (6M+ transactions): on-site QSA audit. Level 2-4: Self-Assessment Questionnaire (SAQ). Know which SAQ type applies to your environment.

Common Gaps

• Scope creep: cardholder data flowing through systems that aren’t in the documented CDE
• Default credentials on network devices and point-of-sale terminals
• Flat networks without segmentation between the CDE and general infrastructure
• Inadequate log retention or review
• Storing prohibited data elements (full track data, CVV) after authorization

Quick Wins

Reduce scope. The less cardholder data you handle, the simpler compliance becomes. Tokenization services from payment processors let you offload card storage entirely. If you can get to SAQ A (fully outsourced card processing), your PCI burden drops dramatically.

SOX Checklist

Applies to you if: You’re a publicly traded company in the United States, or you provide audit or IT services to one.

Key Requirements

• [ ] Document IT controls over financial reporting systems — Access management, change management, system operations, and backup/recovery for systems that process, store, or transmit financial data.
• [ ] Implement segregation of duties — The person who writes the code shouldn’t be the person who deploys it to production. The person who creates a vendor in the payment system shouldn’t be the person who approves payments.
• [ ] Maintain audit trails — Log all changes to financial systems and data. Who changed what, when, and why.
• [ ] Test controls effectiveness annually — Section 404 requires management to assess internal controls and external auditors to attest to that assessment (for accelerated filers).
• [ ] Implement change management — Formal processes for changes to financial systems. Approval workflows, testing requirements, rollback procedures.
• [ ] Secure access to financial systems — Role-based access, periodic access reviews, privileged access management. Remove access promptly when roles change or employment ends.
• [ ] Maintain backup and recovery — Regular backups of financial data. Tested recovery procedures. Documented RTOs and RPOs.

Common Gaps

• Access reviews that happen annually when they should be quarterly
• Segregation of duties violations in small IT teams where one person wears multiple hats
• Change management processes that exist on paper but get bypassed “in emergencies” that happen monthly
• Lack of evidence — controls exist but there’s no documentation proving they were followed

Quick Wins

Start with an access review of your financial systems. Pull the access list, compare it against current roles, and remove stale accounts. Document the review and the actions taken. This addresses one of the most common audit findings and takes hours, not weeks.

If It Already Happened

If you’ve already received a compliance finding, audit failure, or regulatory inquiry:

• Don’t panic, but don’t delay — Regulators look at response time and good-faith remediation efforts. Dragging your feet turns findings into penalties.
• Engage legal counsel — Compliance enforcement has legal consequences. Get qualified advice specific to the regulation in question.
• Document your remediation — Every corrective action, every timeline, every responsible party. This is your evidence of due diligence.
• Report if required — HHS OCR for HIPAA breaches. Your acquiring bank for PCI-DSS issues. The relevant supervisory authority for GDPR. CISA accepts voluntary incident reports. Not reporting when required is its own violation.

Pick the framework that applies to you — it might be more than one — and work through the checklist. Start with the quick wins. Then build toward full compliance over a documented timeline. The frameworks overlap significantly in practice: encryption, access controls, logging, risk assessment, and incident response appear in all of them. Fix those fundamentals and you’ve addressed a significant portion of every framework simultaneously.