Tom Kemp’s Privacy Risk Summit Keynote: Staying Ahead of Privacy Regulation
The privacy landscape is evolving faster than most organizations can keep up. As Tom Kemp, Executive Director of the California Privacy Protection Agency, shared during DataGrail’s Privacy Risk Summit, the era of optional compliance is over. Data protection has become a core component of brand reputation, customer loyalty, and business resilience.
In an environment where regulatory updates are arriving with unprecedented frequency and scope, privacy leaders are being called to do more than react. They must build programs that anticipate change, not chase it. The organizations that succeed will be those that integrate privacy into every business decision — treating it not as a compliance task but as a strategic asset.
Below, we break down three major regulatory shifts that demand proactive attention — and how your organization can begin preparing now.
1. Operationalize Compliance Across a Fragmented Landscape
Today’s privacy environment is more complex than ever. The California Privacy Rights Act (CPRA) continues to set a benchmark for U.S. privacy enforcement, but other states are quickly following suit. More than a dozen have passed comprehensive privacy laws in the past two years, each with its own definitions, exemptions, and enforcement mechanisms. Meanwhile, Congress continues to debate a potential federal privacy framework — creating further uncertainty.
As Kemp noted, the solution isn’t chasing each new law — it’s building a privacy program that scales with change. That means operationalizing compliance through automation and visibility. That means moving away from ad-hoc checklists toward systematized, scalable operations. Organizations should build privacy programs that live in the workflow, not in a binder. This includes automated data mapping, centralized consent management, and dynamic policy enforcement across systems.
Legal, IT, marketing, product, and engineering all need to be part of the same playbook. When privacy-by-design becomes a shared mindset, not a legal checkbox, you move from reactive compliance to continuous governance.
The payoff? You’ll avoid fire drills, reduce legal exposure, and transform compliance into a competitive advantage.
2. Prepare for the Coming Era of AI Governance
A major theme in Tom Kemp’s session — and across the Privacy Risk Summit — was the regulatory focus shifting toward artificial intelligence and automated decision-making. New rulemaking is already underway in several jurisdictions to address algorithmic bias, data provenance, and explainability. For example, the CPPA’s forthcoming regulations are expected to give consumers the right to opt out of AI-driven profiling and require greater transparency in how automated systems use personal data.
AI has amplified the stakes of privacy compliance. Training models on personal or sensitive data introduces profound ethical and legal risks — from unauthorized re-use to unintended discrimination. Kemp warned that privacy regulators are beginning to treat AI governance as an extension of data protection. The message is clear: the era of unregulated model training is ending.
To get ahead, extend your privacy frameworks to encompass AI systems. This starts with clear documentation: understanding what data is being ingested, how it is processed, and where it is stored. Data lineage tracking is no longer optional. Privacy impact assessments should explicitly evaluate the potential harms of automated decisions, not just data collection.
Forward-thinking organizations are already establishing AI ethics councils or data-governance boards to evaluate high-risk projects before they go live. By combining privacy, compliance, and ethical oversight, companies can demonstrate good-faith governance — a critical mitigating factor in enforcement scenarios.
Ultimately, preparing for AI regulation isn’t just about staying compliant; it’s about maintaining consumer trust in the age of automation. By governing your AI pipelines responsibly today, you position your brand as trustworthy — and future-ready.
3. Build for Global Convergence
Privacy is no longer a regional issue. Kemp highlighted how international frameworks are converging toward a shared philosophy of data accountability, even if the terminology differs. The EU’s GDPR continues to influence global standards, while Canada’s Bill C-27, Brazil’s LGPD, and new laws in the Asia-Pacific region are tightening controls around data transfers and retention.
This convergence creates both challenges and opportunities. On one hand, organizations must navigate an increasingly intricate compliance web. On the other, they have a chance to build interoperable privacy programs that meet multiple standards simultaneously — an efficiency that was unthinkable a few years ago.
To future-proof compliance, organizations should invest in privacy infrastructure that scales globally. That means centralizing data subject rights (DSR) workflows, maintaining live data inventories, and ensuring third-party vendors adhere to equivalent standards. Continuous risk assessments and automated auditing can help track compliance in real time, reducing exposure to cross-border enforcement actions.
Another key element is transparency. As regulators demand greater visibility into how organizations handle personal data, maintaining comprehensive documentation becomes essential. This isn’t just for auditors — it’s for customers, partners, and stakeholders who increasingly expect privacy to be part of your brand promise.
Building for global interoperability today ensures that as regulations align — and enforcement grows more coordinated — your organization will remain resilient, adaptable, and trustworthy.
The Bottom Line
Kemp’s message at the Privacy Risk Summit was clear: privacy is no longer a compliance project; it’s a strategic discipline that underpins every aspect of digital transformation. The “new standard” he described is one of continuous adaptation — where organizations treat privacy as a living system that evolves with technology and regulation alike.
To meet this moment, companies must shift from reactive compliance to proactive governance. That means operationalizing privacy across teams, extending safeguards into AI ecosystems, and designing frameworks that scale globally. The organizations that embrace this model won’t just avoid penalties; they’ll earn a durable form of trust — the kind that defines leadership in a privacy-first world.
Interested in watching Tom Kemp’s full session from Privacy Risk Summit? Watch here on-demand now.
How can brands operationalize privacy compliance across so many different laws?
The key is to move beyond manual workflows and spreadsheets. Leading organizations are implementing automated privacy platforms that integrate data mapping, consent management, and risk intelligence across systems. This approach ensures consistency, reduces human error, and creates a repeatable process that scales as new regulations emerge.
How are global privacy laws converging, and why does that matter?
Regulators around the world are aligning on core principles: transparency, accountability, and user control. While terminology may differ (e.g., GDPR “lawful basis” vs. U.S. “opt-out rights”), the underlying expectations are similar. This convergence gives companies the chance to build interoperable global privacy programs—a single operational foundation that satisfies multiple frameworks and strengthens brand trust.
Why is proactive privacy governance considered a competitive advantage?
Proactive privacy isn’t just about avoiding fines—it’s about building durable trust. Companies that anticipate change, automate risk management, and communicate transparently about data practices earn stronger customer loyalty, faster compliance readiness, and a better reputation in the market. In short, privacy has become a brand differentiator, not just a legal requirement.
