Instrument
Regulatory Compliance Mapping
This instrument maps selected ARCS control families against three regulatory frameworks: the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the Health Insurance Portability and Accountability Act (HIPAA). It identifies areas in which ARCS aligns with, extends beyond, or operates alongside regulatory requirements relevant to interaction-record governance.
Included control families
This mapping references the following ARCS control families: ARCS-LIF (Record Lifecycle), ARCS-CUS (Custody Surface), ARCS-TAX (Record Taxonomy), ARCS-OPB (Operator Boundary), ARCS-PUB (Publish Boundary), ARCS-NCR (Non-Creation), ARCS-PV (Preservation), ARCS-VER (Verification), ARCS-AGT (Agent Runtime), and ARCS-DEL (Delegation and Memory).
Cross-framework mapping
| Principle | GDPR | CCPA/CPRA | HIPAA | ARCS controls | Alignment |
|---|---|---|---|---|---|
| Data minimization / minimum necessary | Art. 5(1)(c), Art. 25 | Sec. 1798.100(c) | 45 CFR 164.502(b) | LIF, TAX, NCR, PUB, VER | Exceeds |
| Storage limitation / deletion rights | Art. 5(1)(e), Art. 17 | Sec. 1798.105 | 45 CFR 164.316 | LIF, TAX, NCR, PV | Exceeds |
| Purpose limitation | Art. 5(1)(b) | Sec. 1798.100(c) | 45 CFR 164.502(b) | TAX, OPB, PUB | Meets |
| Accountability / risk assessment | Art. 5(2), Art. 24 | Sec. 1798.185(a)(15) | 45 CFR 164.308(a)(1) | VER, OPB, CUS | Exceeds |
| Audit / accounting of disclosures | Art. 30 | Sec. 1798.110 | 45 CFR 164.528 | VER, CUS | Meets |
| Automated decision transparency | Art. 22 | CPRA Regs. 7001-7004 | N/A | VER, AGT, DEL | Meets |
| Security safeguards | Art. 5(1)(f), Art. 32 | Sec. 1798.100(c) | 45 CFR 164.306-312 | CUS, OPB, AGT, VER | Meets |
| Processor / service provider controls | Art. 28 | Sec. 1798.100(d) | 45 CFR 164.504(e) | OPB, CUS, DEL | Meets |
Alignment designations. "Exceeds" indicates that ARCS introduces governance or architectural controls beyond the minimum structure required by the cited framework. "Meets" indicates that ARCS provides controls materially responsive to the cited requirement. These designations are interpretive and informational only.
Notes on alignment
ARCS may exceed regulatory minimums where non-creation or non-retention controls are implemented. In such cases, specified record classes may be prevented from being created or retained in the first instance, rather than governed only through downstream deletion, access restriction, or contractual limitation.
ARCS also addresses governance questions not fully resolved by privacy-law deletion concepts alone. In particular, ARCS distinguishes among business records, operational records, and deliberative-process records, allowing retention and preservation obligations to be managed with greater specificity.
ARCS verification controls support accountability, auditability, and disclosure-response functions through metadata-based evidentiary records. Depending on implementation, these controls may support compliance assessment and response workflows without unnecessarily expanding retained substantive record content.
Notice
This instrument is informative only and does not constitute an equivalence determination, certification, or statement of legal compliance. Regulatory citations should be independently verified against current law, regulation, and guidance before use in compliance certifications, procurement responses, or regulatory submissions.
CPRA implementing regulations and HIPAA guidance concerning designated record sets, audit records, and AI-related system outputs should be separately reviewed for current applicability.