Skip to main content

Skillber v1.0 is here!

Learn more

Regulatory Frameworks

Checking access...

GDPR (General Data Protection Regulation)

AspectDetail
JurisdictionEuropean Union + EEA (applies globally if processing EU residents’ data)
EffectiveMay 25, 2018
Max fine€20 million or 4% of annual global turnover (whichever is higher)
Key requirementsConsent, data breach notification (72h), DSARs, DPO, DPIAs, data portability, right to erasure
EnforcementMeta fined €1.2B (2023), Amazon fined €746M (2021)
Terminal window
# GDPR compliance checklist
# 1. Data mapping: Document all personal data processed
# 2. Legal basis: Document lawful basis for each processing activity
# 3. Consent: Implement clear, affirmative consent mechanisms
# 4. DPO: Appoint Data Protection Officer (if required)
# 5. Breach response: Implement 72-hour notification process
# 6. DSAR process: Implement process for subject access requests (30-day SLA)
# 7. DPIAs: Conduct Data Protection Impact Assessments for high-risk processing
# 8. International transfers: Implement SCCs or BCRs for cross-border data

HIPAA (Health Insurance Portability and Accountability Act)

AspectDetail
JurisdictionUnited States (healthcare providers, plans, clearinghouses + business associates)
Effective1996 (Security Rule: 2005)
Max fine$1.5 million per violation category per year
Key requirementsAdministrative safeguards, physical safeguards, technical safeguards, BAAs
EnforcementAnthem: $16M (2018), Advocate Health: $5.5M (2016)

Three HIPAA rules:

  1. Privacy Rule: Protects individually identifiable health information (PHI)
  2. Security Rule: Requires administrative, physical, and technical safeguards for ePHI
  3. Breach Notification Rule: Requires notification of breaches affecting 500+ individuals

PCI DSS (Payment Card Industry Data Security Standard)

AspectDetail
ScopeAny organisation that stores, processes, or transmits cardholder data
Versionv4.0 (effective March 2025, future-dated requirements to 2025-2027)
ValidationAnnual QSA assessment (Level 1) or SAQ (Level 2-4)
Penalties$5k-$100k/month by acquiring banks; potential loss of card processing ability

PCI DSS v4.0 — 12 Requirements (6 categories):

  1. Build and Maintain a Secure Network: Firewalls, secure configurations
  2. Protect Cardholder Data: Encrypt at rest, encrypt in transit
  3. Maintain a Vulnerability Mgmt Program: AV, secure coding, patching
  4. Implement Strong Access Control: Need-to-know, unique IDs, physical security
  5. Regularly Monitor and Test: Logging, scanning, penetration testing
  6. Maintain an Info Security Policy: Policy, risk assessment

SOX (Sarbanes-Oxley Act)

AspectDetail
JurisdictionUS public companies
Effective2002
Key sections302 (certification), 404 (internal controls), 409 (real-time disclosure), 802 (records retention)
PenaltiesFines up to $5M, imprisonment up to 20 years

ITGC (IT General Controls) for SOX:

  • Change management: All changes to financial systems are authorised, tested, and approved
  • Logical access: Access to financial systems is provisioned, reviewed, and revoked appropriately
  • Computer operations: Batch jobs, backups, and monitoring of financial systems
  • Program development: New financial applications are developed securely

ISO 27001

AspectDetail
TypeManagement system standard (not regulatory)
ScopeAny organisation globally
StructureAnnex A controls (93 controls across 4 domains)
CertificationIssued by accredited certification body, valid 3 years with surveillance audits

Tip

The most common compliance mistake is treating compliance as a point-in-time checkbox. Regulations require CONTINUOUS compliance — controls must operate effectively every day, not just during audit periods. Implement monitoring and automation to demonstrate continuous compliance.