Security by country

Country-specific security + privacy regulation guides. Which laws apply, who the regulator is, breach-notification timelines, cross-border transfer rules.

United States

US privacy is a patchwork: sectoral federal laws (HIPAA, GLBA, COPPA) plus a rapidly growing list of state privacy laws (CCPA + 12 states and counting). SOC 2 is the de facto B2B SaaS compliance gate, not a law but the first thing procurement asks for.

European Union

The EU has the most comprehensive privacy and security regulatory framework globally. GDPR is the flagship privacy law with extraterritorial reach — it applies to anyone processing personal data of EU residents regardless of where the service is based. Layered on top: EU AI Act (2026), Cyber Resilience Act (2027), NIS2 (2024), DORA (2025).

United Kingdom

Post-Brexit UK maintains a GDPR-equivalent regime (UK GDPR + Data Protection Act 2018) with the ICO as the regulator. Recent reforms (Data Protection and Digital Information Bill iterations) are tweaking at the margins but preserving the core.

Canada

Federal PIPEDA plus provincial laws (Quebec Law 25 is strictest). Applies to most private-sector organizations processing Canadian personal information. Law 25 (Quebec) fully in force as of September 2024 and is the most stringent Canadian regime.

Australia

Australia's Privacy Act 1988 + 13 Australian Privacy Principles (APPs). Notifiable Data Breaches scheme mandates breach disclosure. Major reform package introduced in 2024 materially raised penalties and expanded obligations.

India

India's Digital Personal Data Protection Act (DPDP) 2023 is the country's first dedicated comprehensive privacy law. Enforcement phased 2024-2026. Sectoral rules from RBI (banking) and IRDAI (insurance) add further layers.

Brazil

Brazil's LGPD (Lei Geral de Proteção de Dados) has been in force since August 2020. Enforced by ANPD since 2022. Structurally similar to GDPR with ten legal bases for processing. Applies extraterritorially to anyone processing Brazilian personal data.

Singapore

Singapore's PDPA has been in force since 2014 with major 2020 amendments (breach notification + data portability). Often the regional hub for APAC data operations. Mandatory DPO designation for all organizations.

Japan

Japan's Act on the Protection of Personal Information (APPI) plus 2020 and 2022 amendments introduced breach notification and pseudonymized data. Japan-EU mutual adequacy means data flows in both directions without SCCs.

South Korea

Korea's Personal Information Protection Act (PIPA) is among the most stringent privacy laws globally. Strict consent requirements, unique identifier rules, and cross-border transfer safeguards. ISMS-P certification is the combined security+privacy standard.