⚡ Promptolis Original · Legal

✅ Regulatory Compliance Checker — Industry + Jurisdiction Requirements

The structured regulatory compliance audit — covering GDPR, CCPA, HIPAA, SOC 2, industry-specific regulations, the multi-jurisdiction framework, and the 'continuous compliance' discipline that replaces point-in-time audit scrambles.

⏱️ Initial audit 20 hours + ongoing 🤖 ~2 min in Claude 🗓️ Updated 2026-04-20

Why this is epic

Most companies treat compliance as annual audit scramble. This Original produces continuous compliance framework: which regulations apply, gap assessment, ongoing monitoring, audit readiness.

Names the 6 compliance failure modes (missed regulations / outdated policies / no monitoring / inadequate documentation / late audits / poor response to findings) + fixes.

Produces complete program: applicable regulations matrix, gap analysis, policy framework, monitoring cadence, audit preparation. NOT legal advice — compliance attorney + specialized firms for formal audits.

The prompt

Promptolis Original · Copy-ready

<role> You are a regulatory compliance consultant with 12 years of experience. You've guided 200+ companies through compliance programs. NOT a lawyer or formal auditor — provide framework + preparation. Specialized professionals for formal certification. You draw on GDPR, CCPA, HIPAA, SOC 2, ISO 27001, PCI DSS, and emerging regulations. </role> <principles> 1. NOT legal advice. 2. Identify applicable regulations first. 3. ROI-based compliance priorities. 4. Continuous compliance beats annual scrambles. 5. Documentation foundational. 6. Employee training central. 7. Incident response integrated. 8. Annual pen testing for tech. </principles> <input> <business-context>{industry + stage + size}</business-context> <customer-regions>{where customers located}</customer-regions> <data-types>{what data handled}</data-types> <current-certifications>{SOC 2, ISO, etc}</current-certifications> <known-compliance-requirements>{explicitly required}</known-compliance-requirements> <target-customers>{who you sell to}</target-customers> <resources>{budget for compliance}</resources> <timeline>{goals + audit windows}</timeline> </input> <output-format> # Compliance Assessment: [Business summary] ## Applicable Regulations Matrix Which regulations apply. ## Priority Compliance Goals Based on ROI. ## Gap Analysis Current state vs. requirements. ## Policy Framework What must exist. ## Monitoring + Audit Cadence Continuous discipline. ## Resource Requirements Team, tools, external. ## Implementation Roadmap 90-day + 1-year plan. ## Key Takeaways 5 bullets. </output-format> <auto-intake> If input incomplete: ask for business context, regions, data types, certifications, requirements, customers, resources, timeline. </auto-intake> Now, assess:

0 copies

🚀 Open in ChatGPT ✨ Open in Claude 💎 Open in Gemini

Example: input → output

Here's how this prompt actually performs. Real input below, real output from Claude Opus 4.

📝 Input

<business-context>B2B SaaS, customer data platform. $30M ARR. 200 employees. 5 years old. Goal: expand into healthcare vertical in 2026.</business-context>
<customer-regions>US (all states), EU (France, Germany, UK, Netherlands), Canada, Australia.</customer-regions>
<data-types>Customer employee accounts (low sensitivity). End-user data (their customers — moderate to high sensitivity, sometimes health-adjacent).</data-types>
<current-certifications>SOC 2 Type II. ISO 27001 in progress.</current-certifications>
<known-compliance-requirements>GDPR (EU customers), CCPA (California). Considering HIPAA for healthcare expansion.</known-compliance-requirements>
<target-customers>Mid-market + enterprise B2B. Healthcare target segment for 2026.</target-customers>
<resources>Dedicated compliance: part-time (no dedicated officer yet). $200K annual compliance budget. Security team 4 people.</resources>
<timeline>(1) SOC 2 renewal Q3, (2) ISO 27001 certification target end of year, (3) HIPAA readiness Q2 2026 for healthcare launch.</timeline>

🤖 Output

Compliance Assessment: B2B SaaS, $30M ARR, Expanding to Healthcare

A compliance checker produces structured assessment of applicable regulations + gap analysis + implementation roadmap. NOT legal advice. Your situation — established SaaS with strong compliance foundation (SOC 2) expanding to healthcare (HIPAA) — requires building on existing + adding healthcare-specific + strengthening multi-jurisdiction. This plan produces: applicable regulations matrix, priority goals by ROI, gap analysis, 90-day roadmap.

Applicable Regulations Matrix

Regulation	Applies?	Status	Priority
GDPR (EU customers)	YES	Partial	HIGH — existing obligation
CCPA + CPRA (CA residents)	YES	Partial	HIGH — existing obligation
State Privacy Laws (VA, CO, CT, UT, IA, IN, TN, TX, MT, DE, etc.)	YES (growing)	Not fully addressed	HIGH
Canada PIPEDA	YES	Partial	MEDIUM
UK GDPR + DPA 2018	YES	Same as GDPR mostly	HIGH
Australia Privacy Act	YES	Not addressed	MEDIUM
SOC 2 Type II	YES (customer demand)	Certified	MAINTAIN
ISO 27001	YES (enterprise customers)	In progress	HIGH
HIPAA (if healthcare)	PENDING	Not addressed	CRITICAL for 2026
PCI DSS	NO (Stripe handles)	N/A	N/A
HITRUST	POTENTIALLY (healthcare)	Not addressed	POTENTIAL 2026

Priority Compliance Goals (ROI-Based)

Priority 1: HIPAA Readiness for Healthcare Expansion

Why priority: can't enter healthcare market without HIPAA compliance

Requirements:

BAA (Business Associate Agreement) capability
HIPAA-compliant infrastructure
HIPAA risk assessment
Employee training (all with PHI access)
Incident response for HIPAA breaches

Effort: 6-9 months

Cost: $100-200K (consultant + infrastructure + training)

Payoff: healthcare vertical = potentially 20-30% of ARR in 2 years

Priority 2: ISO 27001 Certification (Existing Goal)

Why priority: enterprise customer demand + SOC 2 foundation

Leverage: build on SOC 2 controls

Cost: $30-60K for certification process

Timeline: 3-6 months

Priority 3: Multi-State Privacy Compliance

Why priority: growing state privacy law patchwork requires systematic approach

Approach: GDPR-level compliance often covers most state laws + specific adjustments for CA, VA, CO, CT, UT, IA, IN, TN, TX

Effort: ongoing, policy updates quarterly

Cost: $15-25K/year ongoing

Priority 4: Maintain SOC 2 + Refresh GDPR

Why priority: foundation preservation

Cost: $30-50K/year renewal + ongoing

Gap Analysis

Data Protection + Privacy:

EU/UK: GDPR framework in place — ✓ good
US States: CCPA addressed, other states partially addressed — GAP
Canada, Australia: not systematically addressed — GAP
HIPAA: no framework — MAJOR GAP

Technical Controls:

SOC 2: certified — ✓ good
ISO 27001: in progress
HIPAA Technical Safeguards: need assessment — GAP for healthcare
Encryption: at rest + in transit — verify meets HIPAA standards
Access controls: need audit logs + monitoring specific to PHI

Documentation:

Information Security Policies: SOC 2 addressed — good
HIPAA-specific policies: needed — GAP
Privacy Policy: needs 2024+ regulation additions
Data flow diagrams: need updating for EU/healthcare flows
Incident Response Plan: exists but needs HIPAA-specific additions

People + Process:

Security awareness training: annual — good
HIPAA-specific training: needed for PHI-handling staff — GAP
Privacy officer: part-time — consider dedicated role
Compliance calendar: informal — need formalization

Policy Framework (What Must Exist)

Information Security:

Information Security Policy
Access Control Policy
Cryptographic Controls Policy
Incident Response Policy
Business Continuity + Disaster Recovery Policy

Privacy:

Privacy Policy (public)
Internal Data Handling Policy
Data Retention + Deletion Policy
Data Subject Request Procedure
International Transfer Procedure

HIPAA (when adding):

HIPAA Privacy Policy
HIPAA Security Policies (administrative, physical, technical)
Breach Notification Policy
Business Associate Agreement Templates
Sanction Policy

Operational:

Vendor Management Policy
Change Management Policy
Secure Development Policy
Acceptable Use Policy
Remote Work Policy

Documentation standards:

All policies reviewed annually
Version-controlled
Employee acknowledgment required
Linked to training materials
Updated on regulatory changes

Monitoring + Audit Cadence

Continuous:

Security monitoring (24/7)
Access log reviews (monthly)
Vulnerability scanning (monthly)
Policy adherence monitoring

Quarterly:

Compliance dashboard review
Regulatory updates assessment
Training completion tracking
Risk register updates

Semi-Annual:

Vendor risk assessments
Access rights review (who has what)
Disaster recovery testing
Phishing simulations

Annual:

Full compliance audit prep (SOC 2 + ISO 27001 + HIPAA when active)
Policy reviews + updates
Security awareness training refresh
Penetration testing
Incident response tabletop exercises

Event-Driven:

Security incidents → full review
New regulations → gap analysis
Customer compliance questions → address
New sub-processors → vendor assessment

Resource Requirements

Team:

Role	Current	Needed
Compliance/Privacy officer	Part-time (CFO extras)	Dedicated (or fractional)
Security engineers	4	4-5 (continue hiring)
Legal (fractional GC)	Yes	Maintain
HIPAA Security Officer	N/A	Required for HIPAA

External:

SOC 2 auditor (annual)
ISO 27001 certification body
HIPAA consultant (pre-certification + ongoing)
Privacy attorney (retainer)
Penetration testing firm (annual)

Tools:

GRC platform (Vanta, Drata, Secureframe) — $20-40K/year
SIEM + security monitoring
Training platform
Vendor risk management tool

Implementation Roadmap

Q1 2026 (Months 1-3):

HIPAA gap assessment (consultant engagement)
ISO 27001 certification push (finalize)
Multi-state privacy law audit
Privacy Policy 2024+ update
Compliance calendar formalization

Q2 2026 (Months 4-6):

HIPAA implementation sprint (policies, controls, training)
BAA templates finalized
Healthcare-ready infrastructure
HIPAA readiness audit (external consultant)
SOC 2 renewal prep

Q3 2026 (Months 7-9):

SOC 2 Type II renewal audit
HIPAA compliant for healthcare launch
First healthcare customers onboard with BAA
ISO 27001 certification achieved

Q4 2026 (Months 10-12):

Continuous compliance program mature
Annual reviews + updates
2027 planning + priorities
Board-level compliance reporting

Total 12-month investment: $200-300K (fits within $200K budget if staged carefully, may require expansion for healthcare).

Key Takeaways

HIPAA readiness for healthcare expansion is CRITICAL for 2026 vertical launch. 6-9 month runway needed. $100-200K investment including consultant + infrastructure + training. Can't enter healthcare without.
Multi-state privacy compliance growing complexity. GDPR-level framework covers most, but specific state requirements (CA, VA, CO, CT, TX) need systematic addressing. Budget $15-25K/year ongoing.
Continuous compliance > annual audit scrambles. GRC platform ($20-40K/year) automates monitoring. Quarterly + semi-annual + annual cadence documented. Event-driven responses integrated.
ISO 27001 + SOC 2 + HIPAA trifecta positions for enterprise + healthcare customers. Leverages overlapping controls. ~$150-250K annual compliance program cost at your scale.
Dedicated (or fractional) Compliance/Privacy Officer needed at $30M ARR with multi-regulation requirements. Part-time attention from CFO insufficient. Hire or retain fractional expert.

Common use cases

Companies assessing what regulations apply
Pre-audit gap assessment
New market entry compliance
Annual compliance review
Post-incident compliance strengthening

Best AI model for this

Claude Opus 4 or Sonnet 4.5. Regulatory compliance requires legal + operational + technical understanding. Top-tier reasoning matters. NOT legal advice.

Pro tips

Not legal advice. Compliance attorney + specialized audit firms for formal compliance.
Start with: what regulations apply to YOU based on business + customers + geographies.
Don't pursue all certifications. ROI-driven.
Continuous compliance beats annual scramble.
Documentation is 80% of audit preparation.
Employee training + awareness central.
Incident response + breach notification critical.
Annual penetration testing + vulnerability scanning for tech companies.

Customization tips

For SOC 2 + ISO 27001 + HIPAA: significant overlap. 60-70% of controls apply across all three. Design once, map to multiple frameworks.
GRC platforms (Vanta, Drata, Secureframe) dramatically reduce compliance workload. $20-40K/year investment saves 10-20x in staff time.
Healthcare expansion: HIPAA is table stakes. HITRUST may also be required by some customers. Evaluate early.
Don't pursue every certification. Customer demand + revenue impact drives priority. SOC 2 usually top ROI for B2B SaaS.
Audit failures are 90% documentation gaps, not control gaps. Focus on documentation discipline.

Variants

B2B SaaS (SOC 2)

For SaaS companies pursuing SOC 2.

Healthcare (HIPAA)

For healthcare + healthcare-adjacent.

Financial Services

For fintech + banking.

Multi-Jurisdiction

Global operations complexity.

Frequently asked questions

How do I use the Regulatory Compliance Checker — Industry + Jurisdiction Requirements prompt?

Open the prompt page, click 'Copy prompt', paste it into ChatGPT, Claude, or Gemini, and replace the placeholders in curly braces with your real input. The prompt is also launchable directly in each model with one click.

Which AI model works best with Regulatory Compliance Checker — Industry + Jurisdiction Requirements?

Claude Opus 4 or Sonnet 4.5. Regulatory compliance requires legal + operational + technical understanding. Top-tier reasoning matters. NOT legal advice.

Can I customize the Regulatory Compliance Checker — Industry + Jurisdiction Requirements prompt for my use case?

Yes — every Promptolis Original is designed to be customized. Key levers: Not legal advice. Compliance attorney + specialized audit firms for formal compliance.; Start with: what regulations apply to YOU based on business + customers + geographies.

Explore more Originals

Hand-crafted 2026-grade prompts that actually change how you work.

← All Promptolis Originals

Curated by

Promptolis Editorial

Every Promptolis Original is hand-crafted and reviewed before publishing — built from scratch for 2026-grade LLMs.

Last reviewed on 2026-04-20 · About Promptolis