It is not a joyful word, compliance. Agencies must follow complex rules that govern the collection, use and security of personal and public data — and although they’re important, the requirements can lead to operational and technical challenges, costly investments, and data sharing hurdles.
How It Happens:
As technology evolves, government entities are creating and expanding rules regarding data transparency, privacy, accessibility, security, AI usage, and other concerns. For example, in April 2024 the Department of Justice extended Americans with Disabilities Act rules to require that content on state and local websites and mobile apps be digitally accessible. A patchwork of hundreds of state and federal data laws includes the Privacy Act of 1974, which applies to federal agencies; sector-specific laws such as HIPAA; and comprehensive state laws, including the California Consumer Privacy Act. In 2025 alone, 38 states adopted or enacted 100 AI-related measures.
Solution:
Industry- or state-specific laws may have unique requirements, but certain best practices apply to any data mandate. For example:
- Know what’s happening. Follow activity related to emerging technologies, such as AI, and to existing laws that are ripe for expansion and revision.
- Implement a robust data governance framework. This will help you manage your data as a strategic asset by establishing clear roles and responsibilities and processes for ensuring secure, high-quality, dependable data.
- Maintain strict security. Encrypt your data, use role-based access controls, secure your data storage, monitor logins and vendor practices, audit regularly, etc.
- Document and report. Track data processing activities and record decisions surrounding data use and risk management.
- Implement a data retention policy. By holding data only for the duration you need it, you can more easily locate compliance-relevant data and reduce storage costs.
- Be transparent. Provide clear privacy or other notices as required and get informed consent when needed. Record those consents and any other interactions with data subjects.
- Prepare for breaches. Develop and test an incident response plan, including notification protocols that meet legal requirements.
- Train staff. Regularly educate them about data protection and compliance, and promote a culture of data responsibility.
Key Compliance Challenges
- Complex and fragmented legal landscape
- Rapidly evolving laws and regulations
- Data privacy and civil liberties concerns
- Resource and capacity constraints
- Accessibility requirements
- Ineffective security controls
- Weak data governance
A version of this article appeared in our guide Better Data Strategy for the AI Age. Download the guide for more insights into how agencies can adopt more coherent, effective ways of managing their data.