Cybersecurity laws and regulations vary across countries and the number is growing as nations cybersecurity mature.  The laws in this article are more specific to western and western serving markets and should always be considered, particularly with respect to an form of security assessment, process or compliance.

General Data Protection Regulation (GDPR), applies to European Union member states and global organisations handling EU citizens personal data.  The UK has its own version of GDPR, which over time will differ based on the needs of that country.  Generally, GDPR are laws for data protection, data privacy, individual rights of their personal data. It mandates organisations to add security controls to protect personal data and also report data breaches within a given time. Organisations can receive significant fines for not following GDPR.

California Consumer Privacy Act (CCPA), applies to California, US, and organisations handling California residents personal data.  CCPA helps to protect California resident rights to their personal data, with a right to know what data is collected, and how it is used. Organisations must implement protections for data protection and provides residents with the right to opt-out of the sale of their personal data.

Health Insurance Portability and Accountability Act (HIPAA), applies to US and organisations handling protected health information (PHI), this is typically within in the healthcare industry with some exceptions.  HIPAA ensures protections for privacy and security of PHI. Organisations must implement protections to protect PHI, perform regular risk assessments, and have incident response procedures in place. Organisations can receive significant fines for not following HIPAA.

Payment Card Industry Data Security Standard (PCI DSS), applies to the world, for organisations that handle credit card transactions and cardholder data.  PCI DSS is a regulatory framework for process, transmission, and storage of cardholder data in a secure manner. It advises various security controls, vulnerability management, and regular security testing.

These are the most common and relevant, in a global setting there are many more and growing.  Organisations in specific sectors may already be well aware, however those in emerging markets or those with diverse client bases will need to be more vigilant of the laws and regulations that apply to them.