Compliance Chronicles with Liisa Thomas

Liisa Thomas

Working in privacy or compliance today means doing organizational change in an AI‑driven world, often without a playbook. Compliance Chronicles brings you lessons with leaders who have navigated that reality, using a simple structure in every episode: their career journey, the challenges they faced, the lessons they took away, and the advice they have for you. Compliance Chronicles is a practical, conversation‑driven podcast for privacy, cyber, and compliance professionals who are being asked to “figure out” AI, data protection, and regulatory change while still handling their day‑to‑day work. Liisa’s practice focuses on helping companies design and mature AI and privacy governance programs, and this show reflects the real questions clients bring into that work. Hosted by law firm partner and adjunct professor Liisa Thomas, the show is designed for CLOs, CPOs, CISOs, CCOs and their teams who need to create workable solutions to tricky AI, privacy, and cyber compliance problems. In her conversations with leaders across the industry, Liisa draws on her legal and organizational change experience helping companies build privacy and AI governance to ask the questions you wish you could have, and to surface patterns you can reuse with your own teams. In each episode, Liisa interviews leaders in the industry who share their career journey, the challenges they have faced and lessons they learned along the way, and their parting advice for others walking a similar path. Guests talk openly about moving skeptical businesses, working with boards and regulators, and operationalizing privacy, cyber, and AI governance in complex, fast‑moving environments. Whether you are new to privacy or a seasoned CPO, you will hear relatable stories, hard‑won lessons, and human‑centered strategies you can apply in your own organization. If you’re wrestling with AI, privacy and cyber governance in your own organization, you will also hear how Liisa approaches these issues in her work with clients. You can find all episodes at https://www.compliance-chronicles.com.

  1. 1d ago

    Developing Effective Compliance Guardrails with Bill Connolly (Ep. 14)

    Stepping into compliance “by accident,” building guardrails that actually help the business, and staying curious enough to reinvent your career—Episode 14 with Bill Connolly is packed with practical lessons for anyone in risk, privacy, or compliance leadership. In this episode of Compliance Chronicles, host Liisa Thomas talks with Bill Connolly, Head of Resiliency Risk for the U.S. retail bank at HSBC. Bill oversees a broad risk portfolio that spans information risk, business continuity, disaster recovery, operational resilience, and more—all brought together in a single resiliency risk program. He shares how his career evolved from managing TCPA suppressions and customer choice, to vendor risk and privacy, to digital compliance, and ultimately into enterprise resiliency risk. Bill walks through his “privacy by almost accident” story: starting with do‑not‑call and do‑not‑solicit databases, helping to build practical privacy questionnaires, and being asked to relaunch a new privacy program by writing a privacy policy that actually reflected how the organization worked. That experience led him into digital compliance, where he carried forward his privacy and information risk expertise to tackle cookie compliance, cross‑border data issues, and global data privacy obligations in a large financial institution. A major theme of the conversation is how to communicate risk in a way the business understands. Bill explains how he created “guardrails” to reduce low‑value questions and empower teams: if people stay within well‑defined parameters on TCPA, privacy, or other rules, they can move quickly; if they step outside those guardrails, that’s when legal and compliance step in. He shares why this kind of tooling not only helps the business move faster but also protects second‑line teams from getting buried in ad‑hoc requests. They dig into the challenges of new regulatory and resiliency requirements, including “important business services” mapping and the sheer scope of work that often falls on a small group of people in each business unit. Bill talks about translating highly technical topics—like IT vulnerabilities—into business language and compelling risk narratives that management can act on and fund. He emphasizes the importance of understanding both the compliance requirements and the resource impact on the business, so you can prioritize, sequence, and negotiate change effectively. Bill also shares career advice for compliance, risk, and privacy professionals at different stages. For those starting out, he stresses curiosity—following your interest into areas like digital privacy or information risk, and backing it up with credentials such as CISA and IAPP certifications. For those who are bored or burned out, he suggests re‑examining your role, looking one year ahead at where you want to be, and exploring adjacent areas like digital, operations, or new risk domains where your expertise can be uniquely valuable. The conversation closes with a focus on growth and reflection: using sabbaticals or mini‑sabbaticals, mentorship, and honest self‑assessment to decide when you need a new challenge. Bill’s parting advice is to deliberately step outside your comfort zone—because no one will do that for you—and to treat each stretch assignment as a way to expand both your knowledge and your network. If you work in privacy, compliance, operational risk, or resilience at a bank or large corporate and want to become a more effective partner to the business while continuing to grow your own career, this episode is for you. If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.

    13 min
  2. Jun 24

    Creative Connections with Business Teams, with Katie Tomashevski (Ep. 13)

    In this lucky 13th episode of Compliance Chronicles, host Liisa Thomas talks with Katie Tomashevski, a New York–born, London‑trained British solicitor and internal auditor who specializes in data privacy and compliance. Katie shares her path from photojournalism and the entertainment and music industry into regulation, then into data protection, internal audit, and privacy roles in a large company. Katie explains how working in PR, marketing, and entertainment licensing led her to law school and ultimately to becoming a “second‑career solicitor,” using her creative background to connect with stakeholders and translate complex regulatory requirements into practical guidance. She describes going from “poacher to gamekeeper” as a regulator under multiple licensing and safety regimes, and how that experience shaped her approach to helping businesses do what they really want to do while staying compliant. They dig into the realities of compliance work: why “nobody likes compliance,” why most people genuinely want to do the right thing, and how curiosity and context are essential for getting buy‑in. Katie talks about how dyslexia has made her a better privacy and compliance professional, because it forces her to demand context, clear agendas, and upfront information so she can give her best advice. She shares how this mindset helps her understand business objectives, identify real risks, and avoid selling “solutions in search of a problem.” The conversation also explores Katie’s time as a data protection officer and internal advisor on data privacy, including a vivid story about data retention, data subject access requests, and what happens when organizations keep personal data far longer than promised. She highlights a key lesson: privacy and compliance teams advise on the “how,” but the business owns the “what” and the accountability for data processing decisions. Finally, Katie offers practical, encouraging advice for privacy, compliance, and audit professionals at every stage: be curious about what people actually want to achieve, see yourself as a trusted advisor rather than the “fun police,” and learn to speak the client’s language so your guidance lands and drives real behavior change. She emphasizes that every business, function, and client group has its own vocabulary—and the more you can mirror it, the more effective you become as a compliance and data privacy partner. If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.

    10 min
  3. May 27

    The Path From Big Law Litigator to CLO with Lori Baggett (Ep. 11)

    Chief Legal Office Lori Baggett shares her journey from small‑town Florida to Big Law litigator to CLO at PODS, a national moving and storage company. In this 11th Episode of Compliance Chronicles, she talks with host Liisa Thomas about what really changes when you move from law firm partner to in‑house counsel and ultimately into the chief legal officer role. Lori describes her path from Division I basketball player to clerk on the Eleventh Circuit, to 18 years at a prestigious firm where she built a practice in employment law, construction, and OSHA workplace safety—while also taking on leadership roles like hiring partner and office managing shareholder. A central theme is the identity shift that comes with going in‑house. She contrasts the law firm environment, where everything is organized around selling your legal services, with the in‑house world, where the focus is on being a business person with a law degree, not “the lawyer” in the corner office. Lori and Liisa dig into how to avoid being seen as “the department of no” and instead become a trusted partner who helps the business get to yes. Lori shares how she learned to make sure she’s invited to the right meetings, build credibility with business colleagues, and communicate that her job is to help them achieve their goals in a safe, compliant way. She talks about mentors who modeled calm, unflappable leadership and taught her when to push, when to listen, and how to stay steady in chaos. The conversation tackles people leadership and feedback as ongoing challenges, no matter the setting. Lori discusses learning to give and receive constructive feedback, advocate for yourself, and live out her personal mantra: “Do no harm, but take no stuff.” She emphasizes the importance of standing up for your needs—whether that’s feedback, mentorship, or opportunities—while still being a supportive leader for your team and partners. Operationally, Lori shares how she thinks about building systems that set people up to do the right thing. She talks about looking at leadership workloads, time and motion studies, and the realistic number of hours in a workday when designing compliance and safety expectations. Instead of endlessly adding to the plate of field leaders, she emphasizes prioritization, clarity, and creating structures that make compliance achievable rather than overwhelming. Lori also offers a powerful mindset shift around blame and mistakes. She explains why she reminds herself that people don’t wake up wanting to do a terrible job at work; most are trying their best within the systems and information they have. That perspective leads her to “link arms” with colleagues, use “we” language, and focus on understanding why something happened before Monday‑morning quarterbacking. She shares her belief that each of us is “one of one,” and that careers get better when we own who we are instead of trying to fit someone else’s mold. For those earlier in their journey, she encourages patience: you will find your “sea legs,” and staying true to yourself will help you find the spaces that are truly the right fit. If you’re a law firm partner thinking about moving in‑house, an aspiring general counsel or chief legal officer, or a compliance and risk leader looking for inspiration on how to be a better business partner, this episode offers candid insight and practical takeaways. If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.

    10 min
  4. Apr 29

    Thriving in Compliance Gray Areas with Deb Sokol (Ep. 9)

    In episode nine of Compliance Chronicles, we learn from Deb Sokol the importance of embracing the gray and look at the evolving nature of compliance. Deb shares her compliance journey and lessons she's learned along the way. What we cover: Being open to new opportunities and volunteering for stretch assignments can unexpectedly launch a career in privacy and complianceMoving from a pure legal role into a compliance role requires a mindset shift toward controls, documentation, metrics, and disciplined, programmatic thinkingMature compliance programs are built on clearly defined controls, monitoring, testing, and consistent documentationPrivacy and AI work often happens “in the gray,” where laws are incomplete or unclear, and professionals must use analogies, principles, and creativityGiving specific, actionable guidance to the business is challenging when statutes and regulations leave gaps or ambiguitiesRotations or close work inside a compliance function help lawyers better understand operational realities and what “good” looks like on the groundBuilding a strong network and “phoning a friend” — peers, experts, and trade organizations — is critical when working in uncertain or novel areasLearning to be comfortable with ambiguity reduces anxiety and enables better decision-making in evolving regulatory landscapesEffective compliance planning starts with mapping principles and end goals, then designing a practical program around themWhen teams feel overwhelmed by a compliance plan, it helps to prioritize: start with what is highest risk or what must be done first to enable everything elseVersion one of a solution does not need to be perfect; a good-enough, law-compliant baseline can be iterated over timeRisk-based prioritization allows teams to focus limited resources on changes with the greatest impact, while deferring lower-risk improvementsStepping outside your comfort zone is essential for growth in privacy and compliance, even when it feels uncomfortableRaising your hand and being known as someone willing to try new things expands opportunities and builds a deeper experience baseEach new experience, even tangential ones, adds to your toolkit and confidence for future roles and challengesCuriosity is a superpower in a fast-changing field; asking follow-up questions and staying inquisitive keeps you adaptable and effective If you enjoy this conversation, make sure to subscribe to Compliance Chronicles in your favorite podcast app and follow the show so you don’t miss future episodes on privacy, AI, internal audit, and real‑world compliance leadership.

    10 min
5
out of 5
28 Ratings

About

Working in privacy or compliance today means doing organizational change in an AI‑driven world, often without a playbook. Compliance Chronicles brings you lessons with leaders who have navigated that reality, using a simple structure in every episode: their career journey, the challenges they faced, the lessons they took away, and the advice they have for you. Compliance Chronicles is a practical, conversation‑driven podcast for privacy, cyber, and compliance professionals who are being asked to “figure out” AI, data protection, and regulatory change while still handling their day‑to‑day work. Liisa’s practice focuses on helping companies design and mature AI and privacy governance programs, and this show reflects the real questions clients bring into that work. Hosted by law firm partner and adjunct professor Liisa Thomas, the show is designed for CLOs, CPOs, CISOs, CCOs and their teams who need to create workable solutions to tricky AI, privacy, and cyber compliance problems. In her conversations with leaders across the industry, Liisa draws on her legal and organizational change experience helping companies build privacy and AI governance to ask the questions you wish you could have, and to surface patterns you can reuse with your own teams. In each episode, Liisa interviews leaders in the industry who share their career journey, the challenges they have faced and lessons they learned along the way, and their parting advice for others walking a similar path. Guests talk openly about moving skeptical businesses, working with boards and regulators, and operationalizing privacy, cyber, and AI governance in complex, fast‑moving environments. Whether you are new to privacy or a seasoned CPO, you will hear relatable stories, hard‑won lessons, and human‑centered strategies you can apply in your own organization. If you’re wrestling with AI, privacy and cyber governance in your own organization, you will also hear how Liisa approaches these issues in her work with clients. You can find all episodes at https://www.compliance-chronicles.com.