Regulatory Compliance and the Governance Controls That Support It

Most organizations discover the disconnect between data governance and compliance at the worst possible moment: an audit request arrives, and the team realizes the policies they wrote don’t map cleanly to evidence they can produce. The scramble that follows — reconstructing access history, tracking down data owners, documenting controls that were never formally defined — is avoidable.

Governance provides the operating model and control plane that help generate and preserve the audit trails needed for regulatory compliance. A well-run governance program can help make compliance across multiple regulatory frameworks more sustainable. It can help translate regulatory requirements into enforceable controls, support continuous evidence retention and enable reuse of controls across multiple obligations.

In the context of data, regulatory compliance means meeting external legal, contractual and industry obligations for how data is collected, processed, protected, shared, retained and deleted. GDPR, CCPA, HIPAA, PCI DSS, SOX, DORA, NIS2 and emerging AI regulations each define different legal, sectoral or operational expectations, but many of them rely on the same control families: data classification, access control, audit trails, retention, breach response and demonstrable accountability.

A governance-first approach helps organizations build those controls once, map them to many obligations and keep evidence available before an auditor asks for it.

Data governance and regulatory compliance

To see just how closely governance and compliance are connected, it’s useful to look at the operating chain as the spine: policy → control → audit trail → evidence.

A legal or regulatory requirement usually starts as language in a statute, standard, contract or audit framework. For the data team, that language has to become a set of decisions: which columns contain personal data, which tables include protected health information, which roles can query cleartext values, which rows should be visible by region, how long a record should be retained and who can approve an exception.

Governance supplies the system of record for those decisions. For example, when a data steward classifies a column as sensitive, attaches a privacy tag, defines an owner and maps the data set to a retention rule, the platform teams can then translate those standards into masking policies, row access policies, role-based access control and monitoring. And compliance teams can then map the operating control back to the obligation it supports, whether that obligation concerns data minimization, least-privilege access, segregation of duties, retention, deletion or breach response.

Audit readiness comes from that same chain. Instead of assembling evidence after the fact, the organization can preserve lineage, classification history, access history, policy changes and approvals as part of normal data operations. This doesn’t make audits effortless, and it doesn’t remove the need for legal interpretation, but it makes evidence gathering faster and more reliable by preserving the audit trails, policy history and approval records teams need before an auditor asks for them.

Watch how DraftKings navigates regulatory compliance at scale:

Regulations differ in language, scope and enforcement model, but many of them ask the same underlying questions about data:

• What data do you have?
• Where is it stored and used?
• Who can access it?
• How is sensitive data protected?
• How long is it retained?
• Can you show what happened when something changes, fails or gets accessed?
• Can you respond when an individual, regulator, auditor or customer asks for proof?

Answering these questions satisfactorily requires a common set of control families:

• Data classification and inventory: Organizations need to identify personal data, payment data, health data, financial reporting data, operationally critical data and other sensitive categories before they can apply the right policies. Classification also helps teams scope regulatory obligations, because a table that contains customer identifiers, transaction history or protected health information may carry different requirements than a table that contains aggregated operational metrics.
• Access control and policy enforcement: Regulations often depend on limiting access to the right people for the right purpose. Least-privilege access, role-based access, masking, row-level restrictions and approval workflows help turn that principle into enforceable controls.
• Audit trails and evidence: Compliance programs need records that show who accessed data, when they accessed it, what changed and which controls applied. Audit trails also support attestation, incident review and internal accountability.
• Retention and disposal: Privacy, financial, healthcare and industry rules often require organizations to retain certain records for a defined period and dispose of other data when it’s no longer needed. Governance helps attach retention logic to data categories, owners and lifecycle policies instead of leaving deletion decisions to ad hoc judgment.
• Response and breach workflows: When an incident occurs, teams need to understand which data was affected, which systems were involved, who had access and what notifications may be required. Classification, lineage and access history help security, legal and compliance teams move from a generic incident record to a data-specific response workflow.

This common control layer is what allows a single governance program to support many regulations at once. The labels may change from one obligation to another, but the organization still needs to know what data it has, how it’s controlled and what evidence proves the control functioned as intended.

Data privacy regulations focus on the rights of individuals in relation to their data, not only the security of systems. For example, when a customer record, employee file or device identifier moves through marketing, support, AI or other workflows, the organization needs to know where that data lives, why it’s being processed, who can use it and how long it should be retained.

GDPR

GDPR governs the processing of personal data in the EU and includes principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability. Governance controls help organizations identify personal data, document processing context, restrict access, enforce retention policies and preserve evidence that supports accountability.

Read more about GDPR →

CCPA and CPRA

The California Consumer Privacy Act gives California consumers rights related to personal information, including rights to know, delete and opt out of certain uses or sales of personal information. The California Privacy Rights Act amended and expanded the CCPA on January 1, 2023, including additional obligations related to sensitive personal information and the creation of the California Privacy Protection Agency. Governance programs support CCPA and CPRA requirements by classifying sensitive personal information, enforcing access restrictions and aligning data use with disclosed purposes.

Read more CCPA and CPRA →

LGPD

Brazil’s Lei Geral de Proteção de Dados applies to personal data processing and shares many concepts with GDPR, including lawful bases for processing, data subject rights and requirements for security and accountability. Classification, consent tracking, access control and retention policies help organizations operationalize those obligations across data systems.

PDPA

Personal Data Protection Acts in jurisdictions such as Singapore and Thailand require organizations to manage personal data responsibly, often including notice, consent, purpose limitation, protection, retention and access rights. A governance program helps connect those requirements to data inventories, role-based access, masking and lifecycle controls.

POPIA

South Africa’s Protection of Personal Information Act regulates the processing of personal information and includes conditions related to accountability, processing limitation, purpose specification, security safeguards and data subject participation. Governance supports POPIA by documenting processing context, assigning ownership, enforcing data protection controls and preserving audit evidence.

China PIPL

China’s Personal Information Protection Law regulates personal information processing and includes requirements related to consent, transparency, purpose limitation, data subject rights, sensitive personal information and cross-border transfers. Governance controls help organizations classify personal information, track processing purposes, apply access policies and document transfer or sharing decisions.

India DPDP

India’s Digital Personal Data Protection Act, 2023, established a framework for processing digital personal data in a way that recognizes both the right of individuals to protect their personal data and the need to process that data for lawful purposes. For organizations, the governance implication is familiar: digital personal data must be identified, protected, used for defined purposes, retained appropriately and connected to workflows that support individual rights and organizational accountability.

Financial services regulations typically focus on the integrity of reporting, the resilience of critical operations and the ability to show that controls operate across complex data and technology environments. A risk model, capital calculation, trade report or operational resilience dashboard may pull data from many systems, which means compliance depends on lineage, control mapping, access history, data quality and documented ownership.

The more distributed the financial data estate becomes, the more important it is to maintain a consistent governance layer across reporting, analytics, risk management, third-party oversight and operational resilience.

DORA

The EU’s Digital Operational Resilience Act applies to financial entities and the ICT third-party risk environment that supports them. It focuses on the ability to withstand, respond to and recover from information and communication technology disruptions. DORA entered into application on Jan. 17, 2025. Governance supports DORA by helping financial organizations understand which data, systems and third-party dependencies support critical operations, how access is controlled, and what evidence is available for incident response, testing and oversight.

SOX

The Sarbanes-Oxley Act focuses on financial reporting integrity and internal controls. For data teams, SOX-relevant controls often involve the systems, data flows and access rights that support financial reporting, close processes and audit evidence. Governance can help identify authoritative data sources, document lineage, enforce segregation of duties and preserve change history for key reporting data.

Basel III

Basel III establishes international banking standards for capital adequacy, stress testing and liquidity risk. While it’s not only a data regulation, its implementation depends on reliable risk, exposure, liquidity and capital data. Governance helps banks define authoritative sources, maintain data quality, document transformations and support repeatable reporting processes.

BCBS 239

BCBS 239 sets principles for risk data aggregation and risk reporting. The standard is especially relevant to governance because it depends on data accuracy, completeness, timeliness, adaptability and traceability across risk reporting processes. Governance controls such as lineage, ownership, data quality monitoring and audit trails help support those expectations.

APRA CPS 234

APRA CPS 234 sets information security requirements for regulated entities in Australia, with expectations around information asset identification, control effectiveness, incident notification and third-party management. Data governance supports CPS 234 by helping organizations identify sensitive and critical data assets, assign ownership, enforce access policies and retain evidence of control operation.

Some compliance obligations are defined by the type of sensitive data an organization handles, rather than by a broad privacy regime or financial reporting framework. HIPAA applies to protected health information, while PCI DSS applies to cardholder data environments. In both cases, compliance depends on knowing where regulated data resides, which roles can access it, how sensitive values are protected and whether access activity can be reviewed after the fact.

HIPAA

HIPAA governs protected health information in the U.S. healthcare ecosystem. Governance supports HIPAA by identifying protected health information, restricting access based on role and purpose, documenting data flows, applying appropriate protections and preserving audit records that show how sensitive healthcare data was accessed and used.

PCI DSS

The Payment Card Industry Data Security Standard applies to organizations that store, process or transmit cardholder data. PCI DSS v4.0.1 was published in June 2024, and the PCI Security Standards Council confirmed that the revision did not change the March 31, 2025, effective date for future-dated requirements. Governance helps payment teams scope cardholder data environments, classify payment data, restrict access, monitor activity and retain evidence for assessment.

Some compliance obligations focus less on a single regulated data type and more on whether the organization can trust the systems, controls and data that support regulated operations. NIS2 establishes cybersecurity risk management and incident reporting obligations for covered sectors in the EU, while ISO 8000 provides a data quality standard that can support more defensible reporting, audit and evidence processes.

NIS2

The NIS2 Directive expands cybersecurity obligations across critical and important sectors in the EU. EU Member States were required to transpose NIS2 into national law by Oct. 17, 2024, with measures applying from Oct. 18, 2024. Data governance supports NIS2 by identifying data and systems tied to essential services, supporting incident response workflows and helping organizations document access, ownership and control coverage.

ISO 8000

ISO 8000 is a data quality standard that focuses on the quality and exchange of data. For compliance-oriented data programs, ISO 8000 is useful because regulatory evidence is only as strong as the data behind it. Ownership, data definitions, quality rules, lineage and issue management help ensure that reports, audits and attestations rely on data that can be trusted.

Organizations must be ready to defend the accuracy, bias, explainability and security of their AI systems — including which data was used to train, validate, test or ground the system; where that data came from; how it was prepared and which controls governed its use.

For data teams, AI regulatory compliance turns training data, validation data, prompts, retrieval sources and model outputs into governed assets. The control set is the same, but the compliance target is the AI system whose behavior depends on upstream data choices.

EU AI Act

The EU AI Act makes the connection between AI compliance and data governance explicit for high-risk AI systems. Article 10 requires high-risk AI systems that use training data to be developed on the basis of training, validation and testing data sets that meet quality criteria, with data governance and management practices covering areas such as data collection, data preparation, bias examination, data gaps, and the relevance and representativeness of data for the system’s intended context.

NIST AI RMF

The NIST AI Risk Management Framework is not a regulation, but it gives organizations a useful structure for managing AI risk. Its core functions — govern, map, measure and manage — connect policy, system context, measurement and ongoing risk response.

In practice, those functions depend on governed data. Teams need to map the intended use of an AI system, measure performance and bias against relevant data, manage risks as data and model behavior change, and preserve evidence that legal, risk, compliance and audit stakeholders can review. A model inventory alone is not enough if the organization cannot trace the data sources, transformations, access policies and evaluation data that shaped the system.

Governance, risk and compliance (GRC) connects three related disciplines: how an organization sets and enforces operating standards, how it identifies and manages risk, and how it demonstrates adherence to external obligations. In a data context, GRC depends on the same operational details that data teams manage every day: owners, classifications, access policies, lineage paths, approvals, exceptions and audit trails.

A GRC program may define the risk taxonomy, control framework and reporting cadence, but data governance supplies the evidence. If a control requires restricted access to regulated data, the organization needs to know which data is regulated, which roles can access it, which policies apply and whether any exceptions remain open. If a control requires retention of financial reporting data, the organization needs lifecycle rules, owner accountability and proof that records were retained or disposed of according to policy.

Read more about governance, risk and compliance →

A well-run governance program becomes more valuable as regulatory obligations expand because the same control can support many requirements. For example, data lineage can support auditability for financial reporting, explainability for risk models, impact analysis for incident response and documentation for AI systems. Access control can support confidentiality, segregation of duties, least-privilege access and data minimization.

Consider a healthcare organization that must align with HIPAA, state privacy laws, internal security policies and contractual obligations with partners. Without a shared governance program, each obligation might trigger a separate inventory, separate access review and separate evidence request. With a common control environment, however, the organization can classify protected health information and other personal data once, attach owners and policies to those classifications, enforce masking or row access where appropriate, document data flows and reuse the same evidence across multiple reviews.

This doesn’t mean one control satisfies every requirement automatically. Legal interpretation still matters, and different regulations may require different thresholds, documentation and review cycles. But governance-driven compliance gives teams a reusable base: controls can be mapped to obligations, evidence can be retained continuously and new regulations can be evaluated against the controls that already exist.

Snowflake helps organizations connect governance controls to compliance workflows by bringing metadata, policy enforcement and auditability closer to the data itself. With Snowflake Horizon Catalog, teams can discover, classify, govern and protect data across Snowflake, including controls for access, masking, row-level restrictions, lineage and sensitive data classification.

Snowflake Access History adds another part of the operating chain by recording when queries read data and when SQL statements perform write operations such as inserts, updates, deletes and copies. For compliance teams, this access history helps connect policy enforcement to audit trail and evidence.

Additionally, Snowflake Compliance Center supports posture monitoring by surfacing high-level insights into the security posture of an account, including scanner findings, secure authentication readiness and data security. Snowflake also provides compliance documentation and certifications through its compliance resources, including global certifications such as SOC 1 Type II, SOC 2 Type II and ISO certifications, with additional compliance information available by region and program.

Together, these capabilities help organizations move from written intent to governed operation, and from governed operation to evidence that can support audits, attestations and regulatory reviews.

Regulations define different obligations, but they often depend on the same operational facts: what data exists, where it moves, who can access it, how it’s protected and whether the organization can prove the control worked.

A well-run governance program captures those facts as part of normal data operations. Classification, ownership, lineage, access policies, retention rules and audit trails become reusable controls that can be mapped to privacy laws, financial reporting requirements, operational resilience rules, healthcare and payment standards, and AI governance frameworks.