Compliance by Design: Why Modern Technology Businesses Need to Build Compliance Into Their Architecture

A CEO I was advising during an M&A transaction once put his hands up in exasperation and said something I have heard many times since:

“Compliance in the world of technology has become burdensome, complex and expensive - and it is only getting worse.”

It was an honest reaction, and not entirely wrong. It also raises an important question: how did we get here?

My role was to guide the team on the legal, regulatory, and compliance dimension of every product they considered. I reviewed app after app – each one carefully tested, assessed, and marked as passed or failed. That experience gave me a front-row seat to a pattern that I have seen play out in boardrooms and product meetings ever since. I have sat with product teams at 11pm finalising the App Store copy. I have been in the room when a BD lead says:

Three decades later, the landscape looks very different.

How We Got Here

The regulatory expansion of the technology sector followed a familiar pattern seen across most transformative industries:

first came growth;
then came consequences; and
then came regulation.

Early legal frameworks were relatively modest. Europe’s 1995 Data Protection Directive, for example, could largely be managed through privacy notices, internal policies and legal teams operating quietly in the background.

That changed fundamentally with the introduction of the General Data Protection Regulation (“GDPR”) in 2018. The GDPR did not merely tighten existing obligations — it changed the architecture of compliance itself. Article 25 introduced the concept of “data protection by design and by default”, requiring organisations to embed privacy protections directly into products, systems and operational processes from the outset. Maximum penalties of up to 4% of global annual turnover made clear that regulators were no longer issuing guidance from the sidelines.

The GDPR was only the beginning. Between 2022 and 2024, a further wave of regulation materially reshaped the landscape, including:

the Digital Services Act;
the Digital Markets Act;
the Cyber Resilience Act; and
the EU AI Act — the world’s first comprehensive legal framework governing artificial intelligence.

What changed in this period is not merely the number of laws, but how regulators approach compliance and how they investigate.

A decade ago, prominently displayed policies and disclaimers were often treated as sufficient evidence of compliance. Today, regulators increasingly focus on deeper operational questions:

Why was the data collected?

What risk assessment was carried out?

Who made the decision, and on what basis?

How does the product behave in practice?

Is there alignment between the product, the claims being made, and the underlying governance?

That shift has significant practical implications. A technology business that treats compliance as a reactive exercise — something addressed after the product is built — will increasingly find that approach expensive, fragile and difficult to sustain. This is where Compliance by Design comes in.

What Compliance by Design Actually Means

The concept itself is straightforward. Compliance by Design means building legal, regulatory and risk considerations into the architecture of a product, process or business model from the outset, rather than attempting to retrofit them shortly before launch or after problems emerge.

This requires a shift in mindset. As compliance can no longer be treated as a final-stage approval function or a box-ticking exercise. It needs to be embedded into product design, operational decision-making and business strategy from the beginning.

A useful analogy is the construction industry.

No serious property developer discovers after completion that the foundations cannot support the building. Structural integrity, fire safety and accessibility requirements are incorporated into the blueprint from day one.

Technology products are no different.

the product is the building structure;
the design phase is the building blueprint; and
compliance is the building code.

And like a building code, compliance rarely works well when applied retrospectively.

This principle now applies across the full spectrum of regulatory exposure:

privacy and data protection;
cybersecurity;
AI governance;
consumer protection;
intellectual property; and
sector-specific regulation.

Each influences how products are designed, how data flows through systems, how decisions are made, and how users interact with technology.

In my experience, much of the remediation work undertaken by lawyers arises because businesses attempt to retrofit compliance into systems that were never designed to accommodate it in the first place. In practice, a mature Compliance by Design framework usually contains four core elements:

a clear regulatory map;
compliance participation at the design stage;
translation of legal obligations into technical and operational requirements; and
documented governance and decision-making evidence.

That final point is increasingly important. Modern regulation is now as much about demonstrating reasoning, accountability and governance as it is about complying with black-letter rules.

The Commercial Case

This is where the real discussion usually begins with founders as the question is rarely whether compliance matters. Most businesses already understand that the regulatory environment has changed permanently. The real question is whether it makes commercial sense to invest time, money and operational focus into compliance at an early stage when immediate priorities include product development, customer acquisition and growth.

In my view, that is the wrong way to frame the issue.

When approached correctly, compliance is not simply a cost centre. Increasingly, it is a business enabler and a value driver.

That becomes particularly visible in three scenarios.

1. M&A and Investment Transactions

In transactions, the most damaging issue is often not the absence of policies. It is the gap between:

what the business actually does;
what the product technically enables; and
what the documentation and public claims say is happening.

Where those elements diverge, red flags are raised and in the current environment buyers become nervous. Transactions become slower, more expensive and more heavily negotiated through escrow arrangements, indemnities, valuation adjustments and remediation obligations.
However, businesses that are able to demonstrate embedded governance, disciplined decision-making and alignment between operations and documentation are materially easier to diligence and acquire.

2. Enterprise Procurement

Large enterprise customers increasingly conduct detailed compliance diligence before onboarding technology vendors, particularly where AI, data processing or automated decision-making is involved. Procurement exercises now routinely involve multi-disciplinary legal, compliance, privacy and security teams. Hence, Bin such situation where businesses are unable to answer / substantiate governance, AI oversight, security and accountability questions increasingly lose opportunities to better-prepared competitors.
Sophisticated buyers are no longer purchasing the functionality of the product alone. They are purchasing trust.

3. Scalability

A compliance programme embedded within the architecture of the business scales with growth. But a compliance programme added retrospectively becomes progressively more expensive, fragmented and operationally fragile over time.
That distinction becomes even more pronounced as businesses expand internationally, enter regulated sectors or integrate advanced AI capabilities.

The Role of Good Legal Counsel

I have always believed that the role of a strong General Counsel in a technology business rests on balancing two objectives simultaneously:

enabling growth of the business; and
reducing risks associated with the business.

Good legal counsel does not obstruct innovation. Nor does it ignore risk in pursuit of speed. Its role is to help businesses grow sustainably.

Compliance by Design supports that balance particularly well. It creates credibility with customers, investors, regulators and potential acquirers while addressing regulatory issues earlier — when they are cheaper, easier and commercially safer to resolve.

A Practical Starting Point

For founders, the question is not whether to adopt Compliance by Design. The real question is where to begin.

The correct starting point depends on the business: its stage of growth, product architecture, sector exposure, geographic footprint and regulatory profile.

But the first step is usually the same: develop a clear understanding of the regulatory landscape that genuinely applies to the business.

That means more than compiling a generic list of regulations or policies. It requires a practical assessment of:

what laws apply;
why they apply;
where the risks sit;
how the product behaves in practice; and
whether operational reality aligns with customer-facing claims and documentation.

Importantly, this is not a one-off exercise.

As products evolve, markets expand and regulation develops further, the compliance framework must evolve alongside the business.

In my experience, organisations that adopt Compliance by Design early usually address these challenges at materially lower cost — and with significantly less disruption — than businesses forced into reactive remediation later.

What Got You Here Today, Won’t Get You There Tomorrow

The CEO who expressed his frustration to me was articulating something widely felt across the technology sector. Many founders and investors built businesses during an era when technology companies operated with relatively few regulatory constraints. Innovation moved quickly, product cycles were compressed, and compliance was often treated as a secondary consideration addressed closer to launch.

That model worked for a long time. But the environment that allowed technology businesses to grow with minimal regulatory friction no longer exists.

Across privacy, cybersecurity, consumer protection, platform regulation and AI, the direction of travel is clear: regulation is becoming more intrusive, more sophisticated and more deeply embedded into the operational life of technology businesses.

Regulators are no longer focused only on outward-facing policies and disclosures. Increasingly, they are examining how products are designed, how decisions are made, how risks are assessed, and whether governance is genuinely embedded into the business.

That means the earlier compliance model — where policies and disclaimers were added toward the end of the development cycle — is becoming progressively less effective.

The sector therefore faces a broader reality: it must adapt to the environment that now exists, rather than the environment in which many technology businesses were originally built. In my view, one of the most important adaptations underway is the move toward Compliance by Design.

A document-led approach asks:

“What policies do we need?”

A design-led approach asks:

“Are the product, the data practices, the governance framework and the customer claims compliant in the first place?”

The documents then follow naturally.

Compliance by Design is therefore not simply a defensive legal exercise. Increasingly, it is becoming part of the architecture of a well-run technology business. The companies that recognise this shift early are likely to build businesses that are more resilient, more credible, more investable and ultimately more valuable than those that continue to rely on models designed for a very different regulatory era.

General commentary only — not legal advice and no solicitor-client relationship is created. Written by Orijit Das, a solicitor of England and Wales (SRA No. 342008). Full regulatory information: padme.services/disclaimer