Arthur Mansourian
EXPERTISE
Privacy Compliance
Data Protection
Risk Assessment
Policy Governance
Security Compliance
Arthur is a U.S.-based privacy, data protection, and tech risk consultant with hands-on experience helping companies build, improve, and operationalize privacy and compliance programs. His background covers GDPR, UK GDPR, CCPA and CPRA, HIPAA, privacy operations, OneTrust program support, policy governance, risk assessment, security compliance, and audit readiness for SaaS, technology, cloud, and regulated-data environments.
Arthur holds the CIPP/US credential and has completed multiple OneTrust certificates in Tech Risk and Compliance, Compliance Automation, IT Risk Management, Enterprise Policy Management, and Issues Management. He also holds an MBA from USC Marshall and a B.A. from UCLA. He brings a rare mix of privacy law knowledge, GRC process skill, strong writing ability, and practical experience partnering with legal, product, engineering, security, and business teams.
Arthur has deep experience building and maintaining Article 30 Records of Processing Activities. This includes documenting controller and processor roles, categories of personal data, categories of data subjects, processing purposes, recipients, subprocessors, transfer details, retention periods, and security measures across customer, employee, vendor, product, support, and marketing data flows. He also supports data inventories, data maps, privacy assessments, and operating reviews tied to retention, deletion, access approvals, and downstream sharing.
In addition to privacy work, Arthur brings strong experience with information security and compliance support. He has handled policy and control documentation, risk registers, evidence review, issue remediation, audit support, and written reporting tied to SOC 2, ISO 27001, HIPAA, NIST-based frameworks, and related internal control programs. He understands how privacy obligations connect with security controls in actual operating environments, including least-privilege access, role-based access controls, audit logging, encryption, pseudonymization, tokenization, key management, incident response, vendor oversight, and cloud security responsibilities.