The EU General Data Protection Regulation (GDPR) is a European Union law that regulates how personal data is processed and protected. It aims to protect individuals' privacy and data rights while clarifying rules for businesses. GDPR went into effect on May 25, 2018.
The UK Data Protection Act 2018 is a law that governs how personal data is processed in the UK, complementing the UK GDPR (General Data Protection Regulation) and implementing the EU Law Enforcement Directive. It provides a framework for protecting individuals' privacy and empowers them to take control of their personal data. The Act outlines principles for data handling, including fairness, transparency, purpose limitation, accuracy, and security.
The Swiss Federal Act on Data Protection (FADP) is Switzerland's primary law governing the protection of individuals' personal data. It came into force on September 1, 2023, revising the previous Data Protection Act from 1992. The FADP aims to ensure data privacy and security while also facilitating data flow with the EU. It outlines the rights of Swiss citizens regarding their personal data and the responsibilities of organisations in handling it.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a US federal law enacted in 1996 to protect sensitive patient health information. It sets standards for how healthcare providers, health plans, and other organisations handle, store, and transmit Protected Health Information (PHI), ensuring its privacy and security.
The EU-US Data Privacy Framework (DPF) is a mechanism established to facilitate the transfer of personal data from the EU to the US, ensuring it meets the requirements of the EU's General Data Protection Regulation (GDPR). The GDPR requires organisations to protect the personal data of EU citizens, including when it's transferred outside the EU. The DPF provides a framework for US companies to demonstrate they meet these standards, allowing for the transfer of EU data without additional safeguards.
PIPEDA stands for the Personal Information Protection and Electronic Documents Act, a Canadian federal privacy law. It regulates how private sector organisations in Canada collect, use, and disclose personal information in the course of commercial activity. PIPEDA was introduced in April 2000.
The POPI Act, or Protection of Personal Information Act, is a South African law that governs data protection and privacy. It came into effect on July 1, 2020, with a grace period for compliance ending on June 30, 2021. The Act aims to protect the privacy of individuals and requires organisations to manage personal information responsibly.
Bill 64, now known as Law 25, is a Quebec provincial law that modernises and strengthens the protection of personal information in Quebec. It aims to align with the European Union's General Data Protection Regulation (GDPR) and introduces new requirements for businesses.
The EU Data Act (Regulation (EU) 2023/2854) is a regulation that establishes rules on data access and use across all economic sectors in the EU, aiming to foster a competitive data market and encourage innovation. It will become applicable on September 12, 2025. The EU Data Act and the General Data Protection Regulation (GDPR) are related but distinct. The Data Act focuses on data sharing and access, particularly within the context of the EU's data economy, while the GDPR primarily focuses on the protection of personal data. The Data Act builds upon and complements the GDPR, but it doesn't replace it.
LGPD stands for Lei Geral de Proteção de Dados, which translates to General Data Protection Law in English. It's Brazil's comprehensive data protection law, similar to the GDPR in the EU. The law aims to protect the personal data of individuals and ensure transparency and accountability in how data is managed by businesses.
PIPA stands for the Personal Information Protection Act. It's South Korea's primary data privacy law, designed to protect the privacy rights of South Korean residents and ensure organisations handle personal data responsibly. PIPA is considered one of the world's stricter data protection regimes and is often compared to the EU's GDPR.
The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore. The PDPA covers all electronic and non-electronic personal data, regardless of whether the personal data is true or false.
The Digital Personal Data Protection Act (DPDP Act) of 2023 is India's primary law for protecting digital personal data. It applies to data fiduciaries (like data controllers and processors) handling personal data collected digitally or digitised, and to foreign entities offering goods/services to individuals in India and processing their data. The Act aims to strike a balance between data protection rights and the need to process data for lawful purposes.
The Privacy and Other Legislation Amendment Act 2024 (POLA Act 2024) is a piece of Australian legislation that amends the Privacy Act 1988 and other related laws to implement the first tranche of reforms following a review of the Privacy Act. The Act strengthens privacy enforcement, introduces a statutory tort for serious invasions of privacy, and criminalises doxxing, among other changes.
ISO/IEC 27701 is a data privacy standard that provides a framework for organisations to manage the processing of personal data and demonstrate compliance with privacy regulations. It acts as an extension to ISO/IEC 27001, which focuses on information security management systems. ISO 27701 helps organisations establish, implement, maintain, and continuously improve a Privacy Information Management System (PIMS).
ISO 27018 is an international standard that provides guidance on protecting personally identifiable information (PII) in public cloud computing environments. It's a code of practice for cloud service providers (CSPs) who act as PII processors, offering additional security controls and privacy requirements beyond the general information security framework of ISO 27001.
SOC 2, or System and Organisation Controls 2, is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that assesses an organisation's controls related to security, availability, processing integrity, confidentiality, and privacy.
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS), providing a framework for organisations to establish, implement, maintain, and continually improve their ISMS. It helps organisations manage and protect their information assets, including physical, digital, and human-related information. ISO/IEC 27001 also helps organisations meet regulatory and legal requirements related to information security.
ISO/IEC 27017 is an international standard that provides a code of practice for information security controls based on ISO/IEC 27002, specifically for cloud services. It's designed to help cloud service providers and customers understand and implement appropriate security controls in the cloud environment.
The HITRUST Common Security Framework (CSF) is a cybersecurity-governance framework designed to help organisations manage risk and meet regulatory compliance when handling sensitive data, especially in healthcare. It harmonises various security and privacy standards and regulations, providing a comprehensive and flexible approach to compliance.
Cyber Essentials is a government-backed certification scheme in the UK designed to help organisations demonstrate they have a minimum level of cybersecurity-governance protection against common online threats. It's recommended by the National Cyber Security Centre (NCSC) as a baseline standard for all organisations. The scheme focuses on five key technical controls to protect against a range of cyber attacks.
NIS 2, or the Network and Information Security Directive (EU) 2022/2555, is an EU-wide directive aimed at improving cybersecurity-governance across the region. NIS 2 aims to enhance the resilience of network and information systems within the EU, particularly for critical infrastructure and essential services.
NIS refers to the Network and Information Systems (NIS) Regulations 2018, a UK law that implements the EU's NIS Directive by imposing security and incident reporting duties on operators of essential services (like energy and healthcare) and relevant digital service providers (such as online marketplaces and cloud services). The regulations aim to enhance the overall cybersecurity-governance and resilience of network and information systems essential for the UK's critical infrastructure and economy.
The EU Cyber Resilience Act (CRA) (Regulation EU 2024/2847) is a regulation that establishes baseline cybersecurity-governance requirements for products with digital elements placed on the EU market. It entered into force on December 10, 2024, and aims to improve cybersecurity-governance across various products, from consumer devices to critical infrastructure components. The CRA requires manufacturers to meet minimum cybersecurity-governance standards, and products must be CE marked and certified as meeting those requirements.
NIST CSF (cybersecurity-governance Framework) is a general framework for managing cybersecurity-governance risks, while NIST 800-53 provides a specific set of security controls, primarily for federal agencies and their contractors. The CSF offers a broader, more flexible approach, allowing organisations to tailor their security practices to their specific needs. NIST 800-53, on the other hand, is more prescriptive and requires specific security controls to be implemented.
The NHS Data Security and Protection Toolkit (DSPT) is a tool used by organisations that access or use NHS patient data to measure their performance against the National Data Guardian's 10 data security standards. It helps organisations demonstrate their commitment to data security and protection, ensuring the safe handling of sensitive patient information.
CSA (Cloud Security Alliance) compliance refers to the adoption of best practices and standards related to securing cloud computing environments, as defined by the CSA. This includes using resources like the CSA STAR registry, the CSA Cloud Controls Matrix, and other initiatives like the AI Safety Initiative and the Zero Trust Advancement Centre. Compliance helps organisations manage risks, understand their security posture, and build trust with their customers.
The UK PSTIA, or Product Security and Telecommunications Infrastructure Act 2022, is a piece of legislation that aims to enhance cybersecurity-governance for connected products in the UK. It focuses on protecting consumers from potentially unsafe products and ensures manufacturers, importers, and distributors of these products adhere to minimum security standards. The Act came into effect on April 29, 2024, with supporting regulations, like the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, outlining specific requirements.
FedRAMP, which stands for the Federal Risk and Authorisation Management Program, is a U.S. government-wide program that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services. It ensures that cloud service providers meet specific security requirements before the government can use their services. Essentially, it's a way for the government to assess and authorise cloud providers, acting as a "gold standard" for cloud security in the U.S. public sector.
CIS Controls, developed by the CIS Centre for Internet Security, are a set of prioritised, actionable cybersecurity-governance best practices designed to help organisations strengthen their defences against common cyberattacks. They provide a focused and practical approach to improving cyber resilience.
ISO/IEC 42001 is the world's first international standard for managing artificial intelligence (AI) systems. It provides a framework for organisations to establish, implement, maintain, and continually improve an AI management system, with a focus on responsible AI development and use. The standard emphasises ethics, transparency, accountability, and governance in AI development and deployment.
The EU AI Act (Regulation EU 2024/1689) is a comprehensive regulation establishing a harmonised framework for the development, deployment, and use of artificial intelligence (AI) systems within the European Union. It classifies AI systems based on risk levels and imposes corresponding obligations on developers, deployers, and users. The Act aims to ensure AI is safe, respects fundamental rights, and promotes innovation in the EU. The EU AI Act does impact non-EU businesses. Specifically, non-EU firms that develop or deploy AI systems that are used within the EU, or whose AI outputs affect the EU, are subject to the Act's provisions. This is because the AI Act has an extra-territorial scope, meaning it applies to organisations outside the EU if their AI systems are used or have an impact within the EU.
The NHS DTAC stands for Digital Technology Assessment Criteria. It's a set of standards and guidelines used by NHS organisations in England to assess whether digital health technologies meet NHS expectations around safety, security, usability, and interoperability before they are adopted or commissioned.
The US Digital Health Assessment Framework (DHAF) is a framework used to assess the safety, efficacy, usability, and security of digital health products, including apps, in the United States. It helps healthcare providers and patients make informed decisions about which digital health tools best meet their needs by evaluating them against a set of criteria.
The Nordic Digital Health Evaluation Criteria (NordDEC) is a framework for assessing the safety, quality, and efficacy of digital health products (like apps) within the Nordic region. It's a system that helps healthcare providers identify trusted digital technologies and provides developers with clear standards for product development. NordDEC aims to ensure that digital health products meet certain requirements in areas like usability, clinical assurance, security, and data privacy.
DiGA stands for Digitale Gesundheitsanwendungen, which translates to Digital Health Applications. It refers to prescription-based digital health apps that are considered medical devices and are assessed by the German Federal Institute for Drugs and Medical Devices (BfArM). BfArM is the authority that oversees the DiGA process, including listing them in the DiGA directory. DiGA apps are designed to support the recognition, monitoring, treatment, or alleviation of diseases or injuries.
The European Health Data Space (EHDS) (Regulation (EU) 2025/327) is an EU initiative that aims to establish a framework for the secure and responsible use and exchange of electronic health data across the European Union. It envisions a system where individuals have better control over their health data and can access it easily, while also facilitating the use of data for research, innovation, and public health purposes. The EHDS is part of the broader European Health Union, aiming to improve healthcare, strengthen digital health, and promote health-related research and innovation.
The European Health Data Space (EHDS) (Regulation (EU) 2025/327) is an EU initiative that aims to establish a framework for the secure and responsible use and exchange of electronic health data across the European Union. It envisions a system where individuals have better control over their health data and can access it easily, while also facilitating the use of data for research, innovation, and public health purposes. The EHDS is part of the broader European Health Union, aiming to improve healthcare, strengthen digital health, and promote health-related research and innovation.
ISO 9001 is an internationally recognised standard for Quality Management Systems (QMS), developed by the International Organisation for Standardisation (ISO). It provides a framework for organisations to consistently deliver products and services that meet customer and regulatory requirements, while also driving continuous improvement in their processes.
ISO 13485 is the international standard for Quality Management Systems (QMS) specifically for the medical device industry, focusing on patient safety and consistent quality throughout a device's lifecycle. It outlines the requirements for a system to consistently produce medical devices and related services that meet customer and regulatory standards.
MDSAP stands for the Medical Device Single Audit Program, a program that allows medical device manufacturers to be audited once to meet the regulatory requirements of up to five different countries: Australia, Brazil, Canada, Japan, and the United States. Instead of undergoing separate audits for each country, manufacturers receive a single audit from an authorised Auditing Organisation that satisfies the Quality Management System requirements for all participating jurisdictions.
21 CFR Part 820 is a FDA regulation for medical device manufacturers, establishing the Quality Management System Regulation (QMSR) and Current Good Manufacturing Practices (cGMP) to ensure the safety and effectiveness of medical devices sold in the United States.
ISO 14971 is the international standard for risk management of medical devices, providing a systematic process for manufacturers to identify and control risks throughout the entire product lifecycle. It establishes principles, terminology, and a comprehensive process to determine and evaluate risks, implement controls, and monitor their effectiveness, ultimately ensuring patient safety and demonstrating regulatory compliance for medical devices.
IEC 62304 is an international standard that provides a framework for the software lifecycle processes of medical devices, ensuring the software is safe, effective, and compliant with regulations. It establishes guidelines for software development, maintenance, risk management, and documentation throughout the entire lifespan of medical device software.
IEC 82304 is an international standard that sets general product safety and security requirements for health software products, such as apps and other standalone software, designed to manage health, deliver care, or improve patient health. It establishes requirements for manufacturers throughout the entire product lifecycle, including development, validation, maintenance, and disposal.
The UK Medical Devices Regulations 2002 (SI 2002 No 618, as amended) sets out the legal framework for regulating medical devices and in vitro diagnostic medical devices (IVDs) in Great Britain. These regulations implement relevant European Directives, ensuring that devices are safe and effective for patients, the public, and healthcare professionals. The regulations have been amended to reflect changes in the European Directives and to adapt to the UK's departure from the EU.
Regulation (EU) 2017/745, also known as the Medical Device Regulation (MDR), is a European Union regulation that sets the rules for placing medical devices and their accessories on the EU market. It replaced the existing Medical Devices Directive (MDD).
Regulation (EU) 2017/746, also known as the In Vitro Diagnostic Regulation (IVDR), is a European Union regulation governing in vitro diagnostic medical devices (IVDs). It aims to ensure the safety and quality of these devices, which are used to test samples like blood or tissue to detect diseases. The IVDR establishes a new regulatory framework, including a revised classification system and conformity assessment procedures.
