Regulatory Landscape
Data governance in banking is driven by regulations. Understand the key data protection laws across the globe and how they impact your governance program. Click any regulation for a deep-dive.
Quick Comparison
| Feature | GDPR EU | HIPAA US | PDPL UAE | DPDP India |
|---|---|---|---|---|
| Year Effective | May 2018 | April 2003 (Privacy Rule) | January 2022 | Phased: 2025-2027 |
| Scope | All personal data of EU residents | Protected Health Information (PHI) | Personal data processed in UAE | Digital personal data in India |
| Key Regulator | National DPAs (e.g., ICO, CNIL) | HHS Office for Civil Rights | UAE Data Office (+ DIFC/ADGM Commissioners) | Data Protection Board of India |
| Max Penalty | €20M or 4% global turnover | $1.5M/yr per category + criminal | AED 5M (~$1.36M) | INR 250 Cr (~$30M) |
| Consent Required | Yes (6 lawful bases) | Authorization for non-TPO uses | Yes (with exceptions) | Yes (+ legitimate uses) |
| Right to Erasure | Yes | No (retention mandated) | Yes | Yes |
| Data Portability | Yes | Yes (ePHI) | Yes | Not explicitly |
| DPO Required | For certain organizations | Privacy Officer required | For high-risk processing | For Significant Data Fiduciaries |
| Breach Notification | 72 hours to DPA | 60 days to individuals | Promptly to UAE Data Office | Without delay to Board |
| Cross-Border Transfers | Adequacy decisions / SCCs / BCRs | BAAs required with processors | Adequacy assessment required | Allowed unless govt restricts country |
| Banking Carve-out | No (applies to banks) | Sector-specific (healthcare only) | Yes (Central Bank rules prevail) | Partial (RBI rules prevail on conflict) |
How This Platform Supports Compliance
Data Classification
6-level classification (PUBLIC → PCI) maps directly to GDPR's "special categories," HIPAA's PHI, UAE PDPL's sensitive data, and India DPDP's processing restrictions. Browse classified terms →CDE Registry
BCBS 239 requires identifying CDEs with full traceability. The CDE Registry shows every critical element mapped to its physical database location. View CDE Registry →Audit Trail
Every regulation requires accountability. The Audit Log tracks all changes, approvals, and data access — ready for regulatory inspection. View Audit Log →Data Lineage
BCBS 239, GDPR (Art. 30), and India DPDP all require tracking where data comes from and where it goes. Lineage mapping provides this traceability. View Lineage →Approval Workflow
GDPR accountability, HIPAA administrative safeguards, and UAE PDPL governance all need formal change management. Dual-approval workflow ensures proper oversight. Approval Inbox →Metadata Catalog
GDPR right to access, India DPDP right to information, and UAE PDPL transparency all require knowing exactly what data you hold and where it lives. Technical Metadata →Other Key Regulations
BCBS 239
Basel risk data aggregation
Basel risk data aggregation
PCI-DSS
Payment card security standard
Payment card security standard
IFRS 9
Financial instruments accounting
Financial instruments accounting
SOX
US financial reporting controls
US financial reporting controls
CCPA/CPRA
California privacy law
California privacy law
AML/KYC
Anti-money laundering rules
Anti-money laundering rules
DORA
EU digital operational resilience
EU digital operational resilience
LGPD
Brazil data protection law
Brazil data protection law