In our hyper-connected world, data security and cybersecurity have become paramount concerns for organizations of all sizes and in all industries. Governments worldwide have responded by implementing regulations to safeguard sensitive information and combat cyber threats. So much so that it’s becoming a little hard to keep up with them all!
In this article, we'll explore a curated list of some of the key data protection regulations, cybersecurity frameworks, and industry-specific data security standards from different corners of the globe.
From the broad-reaching GDPR in Europe to the sector-specific HIPAA in the United States, we’ve put together an easy-to-understand list with descriptions that’ll ensure you’re armed with the knowledge to navigate the complex world of data protection.
Let’s get right to it:
General data protection regulations
Full name: General Data Protection Regulation
Scope: All organizations worldwide that process the personal data of EU residents.
Description: GDPR is the strictest and most complex personal data protection regulation in the world. Companies are obliged to protect the personal data of EU citizens and cannot collect or process it without their consent.
Full name: California Consumer Privacy Act
Scope: CCPA primarily targets medium and large businesses operating in California, regardless of where the business is located. Assessing if the requirements for “operating in California” is not an easy task. Read about the criteria
Description: CCPA is the first comprehensive consumer privacy law in the United States. It gives consumers the right to know what personal information is being collected, the right to have that information deleted, and the right the opt-out of the sale of their sensitive data.
On 1 January 2023, the California Privacy Rights Act of 2020 (CPRA) expanded the CCPA, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate data, and limit businesses' usage of “sensitive personal information”. The act established the dedicated California Privacy Protection Agency.
PIPEDA may soon be replaced by the Consumer Privacy Protection Act (CPPA) – as of June 2023, it has passed the second reading in the House of Commons.
Full name: Personal Information Protection and Electronic Documents Act
Scope: Organizations operating in Canada or organizations located outside of Canada that use personal information in connection with commercial activities within Canada.
Description: PIPEDA is a privacy law in Canada that sets out rules for the collection, use, and disclosure of personal information in commercial activities. It’s applicable to private sector organizations during for-profit, commercial activities.
DPA 2018 (UK)
Full name: Data Protection Act
Scope: Organizations (including government and non-profit) that process personal data in the UK
Description: The Data Protection Act 2018 incorporates the principles of the GDPR and sets out various rights and responsibilities regarding personal data. It requires organizations to implement appropriate technical and organizational measures to safeguard personal data.
Privacy Act (Australia)
Scope: Australian government agencies, businesses, and not-for-profit organizations with a certain annual turnover, but also smaller organizations under certain circumstances (private sector healthcare providers, credit reporting bodies, and others)
Description: The Privacy Act is Australia’s principal data protection legislation. Its main purpose is to protect individuals' privacy and ensure that their personal information is handled in a fair and transparent manner and that organizations take reasonable steps to keep data secure.
POPIA (South Africa)
Full name: Protection of Personal Information Act
Scope: Every entity, private or public, that is either domiciled in South Africa or not domiciled in South Africa but processes personal information in South Africa falls under POPIA’s scope.
Description: The purpose of the POPIA is to safeguard personal data from theft, misuse, and malicious actions. POPIA outlines the conditions under which any person or organization can lawfully process sensitive information.
EU member states have until September 2024 to implement NIS2 requirements into their national legislation.
Full name: Network and Information Security Directive
Scope: All organizations operating within specified “essential” and “important” sectors and industries, including their digital service providers, fall under NIS2’s scope
Description: The NIS was introduced in 2016 as the EU’s first cybersecurity directive. The goal of the updated NIS2 is to create a standard level of protection across the EU by implementing cybersecurity requirements and measures in all EU member states. It lists affected sectors, identifies security requirements, unifies reporting obligations, and introduces enforcement measures and sanctions.
All this is meant to protect the critical infrastructure and the citizens of the EU from cyber-attacks.
Cybersecurity Act (EU)
Full name: Regulation (EU) 2019/881
Scope: EU member states, ENISA, certification bodies, and organizations and businesses that develop, manufacture, or provide ICT products and services within the EU
Description: The EU Cybersecurity Act gives the European Union Agency for Cybersecurity (ENISA) a permanent mandate and establishes a certification framework for ICT products and services to ensure their reliability. It promotes cooperation among EU member states to enhance cybersecurity practices and information sharing.
Full implementation has been delayed and is expected in 2025.
Full name: Cybersecurity Maturity Model Certification
Scope: All US Department of Defense (DoD) contractors and sub-contractors
Description: CMMC is a framework launched by the DoD in order to protect the controlled unclassified information that it shares with its contractors and sub-contractors from cyber-attacks.
Industry-specific data protection regulations
Full name: Health Insurance Portability and Accountability Act
Scope: Healthcare providers involved in the healthcare industry in the US and their third-party business associates that have access to protected health information
Description: The main purpose of HIPAA is to establish national standards for the electronic exchange of healthcare information and safeguard patients' confidentiality. It aims to maintain the privacy and security of personal health information while enabling the efficient and secure exchange of medical data.
PCI DSS (USA)
Full name: Payment Card Industry Data Security Standard
Scope: The PCI DSS applies globally to all entities that process, transmit or store cardholder data.
Description: PCI DSS is a set of rules and processes that are designed to protect cardholders’ sensitive data from data breaches and fraud. It tells merchants how to handle their customers’ payment card information safely and securely, so it doesn’t fall into the wrong hands.
DORA is currently in its 24-month preparation period and will become enforceable in January 2025.
Full name: Digital Operational Resilience Act
Scope: DORA applies to financial entities involved in the EU's financial system, and the ICT service providers that support them. This is true even for companies based outside of the EU.
Description: The purpose of DORA is to strengthen digital resilience within the European Union. It creates a set of rules to handle the risks associated with ICT in the financial industry. By doing so, it will harmonize data security efforts across EU member states.
Full name: Gramm-Leach-Bliley Act
Scope: The Gramm–Leach–Bliley Act applies to a wide range of financial institutions in the US
Description: The Gramm–Leach–Bliley Act is a US law that governs the handling of non-public personal information by banks and financial institutions, insurance companies, and financial service providers. One of the key components is the Privacy Rule, which requires financial institutions to provide customers with clear and concise privacy notices that explain the institution's information-sharing practices.
Full name: Trusted Information Security Assessment Exchange
Scope: A TISAX certification is required for all organizations that do business with most major players in the German automotive industry.
Description: TISAX was developed by the German Association of the Automotive Industry (VDA) and provides a common assessment and exchange process, ensuring a high level of data security and confidentiality in the automotive supply chain.
Implement Safetica to comply with regulations effortlessly
With Safetica, it is easy to comply with various regulatory requirements. The solution identifies and classifies your sensitive data and makes sure it is protected against misuse and breaches. Safetica allows you to set up your security policies, so you can restrict access to your sensitive files. You can also perform security audits to see the status of data security at your organization. And in case there is a security threat anyway, you'll be notified in real-time.