Compliance basics
Compliance means following laws, regulations, standards, or contractual requirements related to security and data protection. It is important, but compliance alone does not automatically mean an organization is secure.
Interview answer
"Compliance is the process of meeting required legal, regulatory, or industry security obligations such as GDPR, HIPAA, or PCI DSS. It defines a baseline, but strong security requires continuous risk management beyond simple compliance."
Why compliance matters
- Protects sensitive data
- Reduces legal and regulatory risk
- Builds customer trust
- Supports audits and contracts
- Creates minimum security expectations
Major compliance frameworks
| Framework | Main focus | Typical organizations |
|---|---|---|
| GDPR | Personal data and privacy of EU residents | Any organization handling EU personal data |
| HIPAA | Protected health information | Healthcare providers and related vendors |
| PCI DSS | Payment card data | Merchants, processors, payment service providers |
| ISO 27001 | Information security management system | Any organization seeking structured security governance |
| SOC 2 | Trust controls for service organizations | SaaS, cloud, and technology providers |
Compliance versus security
| Feature | Compliance | Security |
|---|---|---|
| Goal | Meet required obligations | Reduce risk and protect the business |
| Driver | Laws, standards, contracts | Threats, vulnerabilities, and risk |
| Style | Minimum baseline | Continuous improvement |
| Outcome | Passing audits and avoiding penalties | Better resilience and protection |
Common interview questions
What is data minimization?
Data minimization means collecting only the data that is genuinely necessary for the business purpose. Less collected data means less data to protect and less data to lose in a breach.
What is a data retention policy?
A data retention policy defines how long different categories of data should be kept and when they should be securely deleted.