How are you incorporating regulatory uncertainty and policy changes into your technology roadmaps? What contingency planning approaches have proven most effective for your organization?

One interesting development for us, especially following an acquisition, was the need to revamp our IT policy on acceptable device usage. Our existing policy covered company-issued devices, such as laptops and tablets, but did not address the use of personal phones for work purposes. This became an issue when the company we acquired in eastern Canada already had such a policy in place. We updated our policy to clarify the rules for using personal devices for work, ensuring compliance with regulatory requirements. As we continue to grow and acquire new companies, we anticipate further adjustments to maintain an even playing field. The landscape is always changing, and we must continually adapt our policies to address new regulatory challenges without violating any regulations.

I am currently leading a tech modernization program and working to build as much momentum as possible. I partner closely with our privacy and compliance teams throughout this process. For example, as we consolidate legacy mainframe systems, some of which have been in use for 30 to 40 years—we’re reviewing our data practices with privacy and compliance in mind. We ask upfront what the intended use of our data is, considering all restrictions on how far data can go within the company, its usage, and retention periods. Our goal is to address these questions before implementing new systems, rather than retroactively. We plan to migrate only three years of data into active systems, with the remainder stored offline until it’s fully de-identified. This staged approach helps us reduce our data footprint while maintaining compliance, and we work with all teams to secure funding and buy-in while momentum is high.

We have regulatory requirements across the globe, including Norway and other regions. To address this, we’ve established a government affairs team to help keep track of regulatory changes and requirements. This team works closely with local teams to ensure compliance, and we constantly revamp our processes because what is required in one region may not apply to another due to differing rules.

This has been a challenge for us recently, especially with all the new state privacy laws. As an organization that relies heavily on reaching out to people for donations—whether through mail, social media, or text messages—and as a company of what I call “data hoarders,” there has been resistance to letting go of data. People want to keep donor information indefinitely, even if there’s been no contact for years, simply because they might need it someday. We’ve had to use regulatory requirements to drive change, telling teams, for example, that Colorado law now only allows us to keep data for two years without contact, after which we must anonymize it. It’s no longer a choice; we have to enforce data retention policies.

This shift has not been positive from a business perspective, but it is from an IT standpoint. We now have more control over our data and can ensure compliance. The real struggle is keeping up with how frequently regulations change as new laws are passed. To address this, we’ve hired a privacy officer, a new data specialist, and an AI expert focused on staying current with laws and keeping the organization compliant. In our future planning, we assume that at least one or two laws will change each year, so we build in flexibility to adapt as needed.

It’s really challenging, especially being in an FDA-regulated industry. There are numerous guidelines and rules, and if used effectively, they can help achieve our objectives. However, merging these requirements and understanding which elements will advance our goals and which are distractions is a constant challenge.