You have to consider what I would call the global regulatory layer cake. At the center is you and your organization. The next ring out of course is all of the various industry regulators that you may have like the SCC in finance or HIPAA for healthcare. Above that, you're going to have state-breached notification laws. And then above that, you have what I call the super layer of things like privacy regulations like the GDPR in Europe. Regardless of whether or not you are actually headquartered in Europe, if you have affiliates, clients, data, or a resident there, you are governed by GDPR.
A cybersecurity framework is the best way to map to this myriad of regulatory obligations. It's crucial that you build a cybersecurity framework that ensures that you mapped all of your regulatory obligations. It's a very convoluted mapping, and that's why many of our clients are now working hand-in-hand with a cybersecurity advisory professional to help them do that, to understand those obligations, understand the assets that they have under management, and how they adequately protect their clients' privacy.