Navigating compliance in a fragmented geopolitical and regulatory landscape can be a daunting task. Jessica Sweet, data protection and privacy counsel at iManage, explains how well-thought-out processes and the judicious use of technology can lighten the burden.

Due to the rapidly evolving and fragmented regulatory landscape, keeping up with the almost daily changes, be that in privacy, AI, or other legislative areas, can feel like an impossible task. By embracing the right governance and information management approaches and harnessing the right technologies, corporate legal departments can keep their heads above water and safely navigate a path forward.

A maze of regulations

With a deluge of laws and regulations being introduced at a rapid pace, the regulatory environment is becoming fragmented. Well-established privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have set high standards for data protection and privacy globally, whereas the UK may be departing from embedded frameworks with the recent Data Use and Access Bill.

Companies must navigate a maze of regulations that vary from one country to another.

On the AI front, legislation is emerging in the EU to address the legal implications of AI technologies with a risk-based regime, while the US is pushing for a moratorium on state-imposed AI legislation.

The geopolitical landscape is also contributing to the complexity of global compliance efforts. Many countries are adopting protectionist policies driven by concerns over national security, economic sovereignty, and data privacy. As a result, companies must navigate a maze of regulations that vary from one country to another, making it an increasing challenge to maintain compliance on a global scale.

No need to reinvent the wheel

How can organisations start wrapping their arms around this challenge to bring it under control? The first order of business is to leverage existing compliance frameworks within the organisation.

Whether it’s for GDPR, a local law, or something else entirely, most organisations already have some sort of compliance framework in place that they can utilise for new legislation that's coming down the line.

Most organisations already have some sort of compliance framework in place that they can utilise for new legislation.

For example: an existing compliance framework right now might conduct privacy impact assessments (PIA) when a new product or service is being launched internally. The organisation can leverage the PIA process that exists today to assess AI tools with consideration to AI and automated decision-making legislation coming down the line.

There's no need to reinvent the wheel.

What’s your “gold standard”?

It's almost impossible for a global organisation to regionally customise its response to every single law and regulation; far better to have a “gold standard” that can be applied across regions.

For instance, the time limit for responding to data subject access requests (DSARs) is different in the EU from in the United States (i.e., it’s more stringent). It makes sense, then, to use an EU framework like GDPR as the gold standard across the organisation as the starting point and tailor the advice depending on legal nuance.

Where teams are unsure, lean on specific external expertise for deviations from the standard that might need to be addressed.

Let tech lend a hand

A compliance management system can be extraordinarily useful for helping organisations track and manage regulatory changes in real time. These systems provide a centralised platform for horizon scanning, monitoring compliance requirements, assisting with risk assessments, and generating reports.

By automating some of these processes, legal departments can reduce the burden of manual compliance tracking and ensure that they stay up to date with the latest regulations.

If a fully fledged compliance management system isn’t on the cards, note that new generative AI chat tools (Copilot, ChatGPT, etc) can be quite useful as far as rounding up and summarising any regulatory updates from the past week.

The adage 'rubbish in, rubbish out' really does apply when it comes to AI.

Once a team has the relevant information, such as case law or relevant legislation, templates can be curated and uploaded to a centralised repository like a document management system (DMS). Having this single, centralised system for important files ensures that everyone on the team is drawing from the same quality documentation and templates.

When used in conjunction with a strong records management system, it also ensures that any AI tools that are querying the DMS to answer questions – e.g., “when does the UK Data Use and Access Bill go into full force?” – are drawing upon vetted, relevant content as their source. The adage “rubbish in, rubbish out” really does apply when it comes to AI.

Finally, keeping up with regulatory changes requires continuous training and education for legal and compliance teams. Collaborate with your team to understand their daily operations and use of tools, and then tailor bespoke training sessions.

Additionally, organisations might wish to invest in training programs that cover the latest regulatory developments and best practices for compliance.

No magic bullets

Admittedly, there are no magic bullets when it comes to compliance, but there are multiple opportunities to make smart decisions around how to approach it. With a careful eye towards governance and compliance best practices, and the technologies that can support them, organisations can successfully stay on top of their compliance obligations and contend with an increasingly fragmented regulatory landscape.

Visit

iManage

Connect with Jessica Sweet via LinkedIn