Dear Advisor: How do I know if my company is compliant with security and privacy regulations?

December 2021, updated February + November 2022

With the log4j vulnerability and the AWS outage this month, I’m getting many requests for advice around security. Since security also goes hand-in-hand with CCPA (for customers in California), GDPR (AKA “right to be forgotten”) and other privacy regulations, such as for healthcare and finance, I’ll share advice that applies to both security and privacy here.

Disclaimer: This is not legal advice, but a framework to help you do this assessment of your company yourself.

My framework for how you can evaluate your company’s security and privacy practices touches on people, process and technology. Once you diagram/answer these questions, you should be able to cross-reference your work against regulations, to see for yourself where the security gaps are in your current process.




I’ll admit, this looks deceptively simple, but will take some time to complete. One way to get started is to pick a business question you'll try to answer, and as you work on answering that question, document the answers to the questions here -- to see for yourself where the security gaps are in your current process..

Good luck! Do you need help figuring out what business question to start with, please reach out!

You may also like: