Regulations & Compliance

The General Data Protection Regulation (GDPR) establishes comprehensive requirements for data governance and data management across several key articles. Here's how the regulation addresses these areas:

Core Data Governance Principles

Article 5 establishes the fundamental principles for data governance, requiring that personal data be processed lawfully, fairly, and transparently. It mandates data minimization (collecting only what's necessary), purpose limitation (using data only for specified purposes), accuracy, storage limitation, and integrity and confidentiality. Crucially, it establishes accountability - organizations must demonstrate compliance with these principles.

Article 6 defines the legal bases for processing, which forms the governance foundation for any data handling. Organizations must identify and document which lawful basis applies to each processing activity - whether consent, contract performance, legal obligation, vital interests, public task, or legitimate interests.

Data Subject Rights and Governance Framework

Article 12 requires organizations to establish transparent governance processes, mandating clear communication about data processing in concise, accessible language. This creates governance obligations for information management systems.

Articles 15-22 establish individual rights that require robust data governance systems to fulfill:

• Article 15: Right of access - requiring systems to locate and extract individual's data

• Article 16: Right to rectification - demanding data accuracy maintenance processes

• Article 17: Right to erasure ("right to be forgotten") - requiring data deletion capabilities

• Article 18: Right to restriction of processing - needing data flagging systems

• Article 20: Right to data portability - requiring structured data export capabilities

Organizational Data Management Requirements

Article 25 mandates "data protection by design and by default," requiring organizations to implement technical and organizational measures that integrate data protection into processing systems from the outset. This fundamentally shapes how data management systems must be architected.

Article 30 requires most organizations to maintain detailed records of processing activities, creating a comprehensive data inventory that documents what data is processed, why, how long it's retained, and who has access. This serves as the backbone of data governance documentation.

Article 32 establishes security requirements for data management, mandating appropriate technical and organizational measures including pseudonymization, encryption, ensuring confidentiality and integrity, and regular security testing.

Accountability and Compliance Management

Article 24 establishes the accountability principle, requiring organizations to implement appropriate measures to ensure and demonstrate GDPR compliance. This creates obligations for governance frameworks that can prove compliance.

Articles 35-36 require Data Protection Impact Assessments (DPIAs) for high-risk processing, creating a governance process for evaluating and mitigating privacy risks before implementing new data processing activities.

Data Transfer Governance

Articles 44-49 establish governance requirements for international data transfers, requiring adequate protection levels and appropriate safeguards when transferring data outside the European Economic Area.

Enforcement and Breach Management

Articles 33-34 create data governance obligations around breach notification, requiring organizations to notify supervisory authorities within 72 hours and affected individuals when there's a high risk to their rights and freedoms.

Specialized Roles and Governance Structure

Articles 37-39 define when organizations must appoint a Data Protection Officer (DPO) and their governance role in monitoring compliance, conducting impact assessments, and serving as a contact point for data subjects and supervisory authorities.

These articles collectively create a comprehensive framework requiring organizations to implement systematic data governance and management practices, moving beyond simple compliance to embedding privacy protection into organizational culture and systems architecture.

PCI DSS 4.0: Mandatory as of April 1, 2025, with 12 core requirements including enhanced encryption, payment page script controls, automated technical solutions for web applications, and third-party service provider monitoring. Four compliance levels based on transaction volume: Level 1 (6M+ annually), Level 2 (1-6M), Level 3 (20K-1M), Level 4 (<20K). Fines $5,000-$100,000 monthly.

• GDPR (2018): Article 33 requires breach notification to supervisory authorities within 72 hours, Article 34 mandates data subject notification for high-risk breaches. Article 5 establishes fundamental principles for data governance, Article 6 defines legal bases for processing, Articles 15-22 establish individual rights. Penalties up to €20 million or 4% of global turnover.

• DORA (Digital Operational Resilience Act): Effective January 17, 2025, requires comprehensive ICT risk management frameworks, digital operational resilience strategies, and sound governance arrangements with clear roles and responsibilities. Chapter V mandates rigorous third-party risk management including risk assessments, operational resilience testing, and detailed contractual provisions with exit strategies. Penalties up to 2% of annual global turnover.

• PSD3 (Payment Services Directive 3): Expected to be finalised in early 2025 with likely 2026 implementation date for payment service providers. Builds on PSD2 framework with enhanced security and competition measures.

• AMLA (Anti-Money Laundering Authority): Establishes European Anti-Money Laundering Authority providing supervisory oversight over high-risk financial entities with improved cooperation and information-sharing for AML/CFT compliance.

• UK FSMA 2023: Financial Services and Markets Act 2023 creates designated activities regime with FCA supervision and enforcement powers, with various provisions entering force throughout 2025.

• Solvency II: Updated framework with Level 1 changes effective January 2025, requiring enhanced governance including cybersecurity and climate risk requirements, Liquidity Risk Management Plans (LRMPs), and macroeconomic analysis in ORSA assessments. Three-pillar structure with SCR/MCR capital requirements.

• IFRS 17: Insurance accounting standard effective 2023 using building block approach with contractual service margin (CSM), requiring economic balance sheet methodology and enhanced disclosure requirements.

• NIS2 Directive: Effective October 17, 2024, covering financial entities with cybersecurity risk management measures, 24-hour incident reporting, and fines up to €10 million or 2% of global turnover.

• GLBA (Gramm-Leach-Bliley Act): Applies to banks, insurance companies, investment firms with Privacy Rule, Safeguards Rule, and Pretexting provisions. Fines up to $100,000 per violation for institutions and $10,000 for officers.

• Dodd-Frank Act: Comprehensive financial reform with Volcker Rule, stress testing requirements, orderly liquidation authority, and Consumer Financial Protection Bureau (CFPB) oversight.

• SOX (Sarbanes-Oxley Act): Sections 302/404 requiring CEO/CFO certification of financial statements and internal controls over financial reporting. Penalties include fines up to $5 million and 20 years imprisonment.

• Bank Secrecy Act (BSA): Anti-money laundering requirements including Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs), and Customer Due Diligence (CDD) rules.

• CFTC Regulations: Commodity Exchange Act oversight including Dodd-Frank derivatives regulations, position limits, and swap dealer registration requirements.

Asia-Pacific

• Australia APRA Standards: Prudential standards including CPS 220 (Risk Management), CPS 230 (Operational Risk Management), and CPS 234 (Information Security). Enforceable undertakings and civil penalties up to AUD 525 million.

• Singapore MAS Guidelines: Technology Risk Management Guidelines, outsourcing guidelines, and cyber hygiene requirements. Administrative penalties up to SGD 1 million.

• Japan JFSA Regulations: Financial Instruments and Exchange Act, Banking Act supervision with comprehensive risk management and operational resilience requirements.

• Hong Kong HKMA Guidelines: Operational resilience, cybersecurity, and technology risk management guidelines with supervisory enforcement powers.

• GDPR: Special category health data requiring explicit consent or specific legal basis under Article 9, with enhanced protections and processing restrictions.

• MDR (Medical Device Regulation): Post-market surveillance, unique device identification (UDI), and clinical evidence requirements for medical devices.

• Clinical Trials Regulation: Streamlined approval process, central EU portal and database, and enhanced transparency requirements.

• European Health Data Space (EHDS): Draft regulation creating trusted framework for health data sharing while preserving privacy and individual control rights.

• HIPAA: Privacy Rule, Security Rule, and Breach Notification Rule protecting PHI. 2025 updates include enhanced cybersecurity protocols, multi-factor authentication requirements, improved patient access rights, and vendor management practices. Penalties range from $137-$2,067,813 per violation with annual maximums, plus criminal penalties up to $250,000 and 10 years imprisonment.

• HITECH Act: Enhanced HIPAA enforcement, breach notification requirements, and meaningful use incentives for electronic health records.

• FDA 21 CFR Part 11: Electronic records and signatures requirements for FDA-regulated industries including validation, audit trails, and electronic signature controls.

• Clinical Trial Regulations: Good Clinical Practice (GCP), Institutional Review Board (IRB) requirements, and informed consent regulations.

• PIPEDA: Personal Information Protection and Electronic Documents Act covering private sector (excludes Quebec, BC, Alberta) with consent requirements and privacy breach notification.

• PHIPA (Ontario): Personal Health Information Protection Act with fines up to CAD$200,000 for individuals and CAD$1 million for healthcare organizations.

• Solvency II: Risk-based capital adequacy framework with three pillars: quantitative requirements (SCR/MCR), governance requirements (ORSA, key functions), and disclosure requirements (SFCR). 2025 updates include enhanced macroeconomic ORSA analysis, strengthened governance for cybersecurity/climate risks, and Liquidity Risk Management Plans.

• IFRS 17: Insurance accounting standard using building block approach with present value of cash flows, risk adjustment, and contractual service margin (CSM). Three measurement models: General Model, Premium Allocation Approach (PAA), Variable Fee Approach (VFA).

• IDD (Insurance Distribution Directive): Product oversight and governance requirements, conflicts of interest management, and customer information obligations.

• Solvency UK: UK's implementation of Solvency II principles with specific UK market adaptations and potential reforms under competitiveness agenda.

• NAIC Model Laws: State-based regulation including Risk-Based Capital (RBC) requirements, Own Risk and Solvency Assessment (ORSA), and Holding Company System Model Act.

• Principle-Based Reserving (PBR): Life insurance reserve requirements using company-specific assumptions and stochastic modeling for term and universal life products.

• State Insurance Codes: Varying by state with licensing, solvency monitoring, market conduct regulation, and consumer protection requirements.

• x

• LDTI (Long-Duration Targeted Improvements): GAAP accounting changes for long-duration insurance contracts effective January 1, 2023.

• Consumer Rights Directive: 14-day withdrawal period for distance contracts, information requirements, and unfair contract terms protection.

• Digital Services Act: Platform accountability requirements including illegal content removal, algorithmic transparency, and risk management systems. Fines up to 6% of global turnover.

• UK Consumer Duty: FCA outcomes-based approach with four outcomes: products and services, price and value, consumer understanding, customer support.

• E-commerce Directive: Information requirements, intermediary liability exemptions, and country of origin principle for online services.

• CCPA (California Consumer Privacy Act): Consumer rights including access, deletion, opt-out of sale, and non-discrimination. Penalties up to $2,500 per violation ($7,500 for intentional violations).

• CPRA (California Privacy Rights Act): Enhanced CCPA with California Privacy Protection Agency enforcement, sensitive personal information protections, and expanded consumer rights. Effective January 1, 2023.

• FTC Act Section 5: Prohibition against unfair or deceptive practices with case-by-case enforcement and civil penalties up to $51,744 per violation.

• State Breach Notification Laws: All 50 states have breach notification requirements with varying timelines (immediate to 90 days) and notification thresholds.

• UAE PDPL: Personal Data Protection Law with administrative, technical, and physical protections required. Fines range from AED 1,000 to AED 1 million.

• Saudi Arabia PDPL: Personal Data Protection Law under Vision 2030 with consent requirements, cross-border transfer restrictions, and data subject rights.

• Qatar PDPPL: Personal Data Privacy Protection Law with three types of protections (administrative, technical, physical) and fines from QAR 1-5 million.

• South Africa POPIA: Protection of Personal Information Act with lawful processing conditions, data subject rights, and Information Regulator enforcement.

• Australia Privacy Act: Privacy principles, notifiable data breach scheme, and Australian Privacy Principles (APPs) with penalties up to AUD 50 million.

• Singapore PDPA: Personal Data Protection Act with consent requirements, data breach notification, and Do Not Call Registry. Penalties up to SGD 1 million.

• Japan APPI: Act on Protection of Personal Information with consent mechanisms, cross-border transfer restrictions, and Personal Information Protection Commission oversight.