This chapter covers three critical compliance regulations: GDPR, HIPAA, and PCI-DSS. For the 220-1102 exam, you must understand what each regulation protects, who it applies to, and the key requirements an IT professional must implement. Approximately 10-15% of the Security domain questions touch on compliance, often asking you to identify which regulation applies in a given scenario or to recognize a required control. Mastering these basics will help you answer scenario-based questions confidently.
Jump to a section
Think of a company as a large office building. GDPR is like a strict privacy policy that requires you to have a locked filing cabinet for each tenant's personal data, and you must tell them exactly what files you keep and why. If a tenant asks to see their file, you must show them within 30 days. HIPAA is like a medical clinic inside the building with its own set of rules: all patient records must be in a separate, locked room with access logs, and only doctors and nurses with a key can enter. PCI-DSS is the security for the building's credit card payment center—the room where you swipe cards must have video surveillance, the computer must be isolated from other networks, and you must change the locks every 90 days. If you don't follow these rules, you can be fined or lose your license to operate. Just like building security, compliance requires documented policies, regular audits, and specific controls for different types of sensitive data.
What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union (EU) in May 2018. It protects the personal data of EU citizens, regardless of where the data is processed. The regulation applies to any organization that offers goods or services to EU residents or monitors their behavior, even if the organization is based outside the EU.
Key principles include: - Lawfulness, fairness, and transparency: Processing must have a legal basis (e.g., consent, contract, legal obligation). - Purpose limitation: Data can only be collected for specified, explicit, and legitimate purposes. - Data minimization: Only collect data that is necessary for the purpose. - Accuracy: Data must be kept accurate and up to date. - Storage limitation: Data must be kept no longer than necessary. - Integrity and confidentiality: Security measures must protect data. - Accountability: The data controller is responsible for compliance.
Key GDPR Rights for Individuals
Right to be informed: Individuals must be told how their data is used.
Right of access: Individuals can request a copy of their data (Subject Access Request – SAR).
Right to rectification: Individuals can correct inaccurate data.
Right to erasure (Right to be forgotten): Individuals can request deletion of their data under certain conditions.
Right to restrict processing: Individuals can limit how their data is used.
Right to data portability: Individuals can receive their data in a machine-readable format.
Right to object: Individuals can object to processing for marketing or research.
Enforcement and Penalties
Supervisory authorities (e.g., ICO in the UK) can impose fines up to €20 million or 4% of annual global turnover, whichever is higher. Fines are tiered: less severe violations (e.g., failure to maintain records) can result in up to €10 million or 2% of turnover.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law enacted in 1996. It sets national standards for protecting sensitive patient health information (Protected Health Information – PHI). The law applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (third parties that handle PHI).
HIPAA Rules
Privacy Rule: Governs the use and disclosure of PHI. Patients have rights to access their health information, request amendments, and receive accounting of disclosures.
Security Rule: Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).
Breach Notification Rule: Requires covered entities to notify affected individuals, the Secretary of HHS, and sometimes the media following a breach of unsecured PHI.
Enforcement Rule: Establishes penalties for violations.
HIPAA Safeguards
The Security Rule specifies three types of safeguards: - Administrative: Policies, procedures, training, and risk assessments. - Physical: Facility access controls, workstation security, device and media controls. - Technical: Access controls, audit controls, integrity controls, transmission security, and authentication.
Penalties for HIPAA Violations
Civil penalties range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for identical violations. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years.
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards established by major credit card companies (Visa, MasterCard, American Express, Discover, JCB) to protect cardholder data. It applies to any entity that stores, processes, or transmits cardholder data, including merchants, service providers, and financial institutions.
PCI-DSS Requirements (12 Requirements)
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data (e.g., encryption, truncation, tokenization).
Encrypt transmission of cardholder data across open, public networks.
Use and regularly update anti-virus software on systems commonly affected by malware.
Develop and maintain secure systems and applications (e.g., patch management).
Restrict access to cardholder data by business need-to-know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes (e.g., vulnerability scans, penetration testing).
Maintain a policy that addresses information security for all personnel.
PCI-DSS Validation
Merchants are classified into four levels based on transaction volume. Level 1 merchants (over 6 million transactions per year) must undergo an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV). Lower levels may use Self-Assessment Questionnaires (SAQs).
Penalties for Non-Compliance
Fines can range from $5,000 to $100,000 per month by the card brands. Additionally, non-compliant entities may be held liable for fraud costs, face increased transaction fees, or have their ability to process credit cards revoked.
Common Elements Across Regulations
All three regulations require: - Data classification: Identifying sensitive data. - Access controls: Ensuring only authorized personnel can access data. - Encryption: Protecting data at rest and in transit. - Audit trails: Logging access and changes. - Incident response: Plans for breaches. - Training: Employee awareness. - Documentation: Policies and procedures.
Exam-Relevant Details for 220-1102
GDPR applies to any organization handling EU personal data, regardless of location.
HIPAA applies only to US healthcare entities and their business associates.
PCI-DSS applies to any organization that accepts credit cards.
Know the difference between a data controller (determines purposes) and data processor (processes data on behalf of controller) for GDPR.
For HIPAA, remember the three safeguards: administrative, physical, technical.
For PCI-DSS, the 12 requirements are often tested as a list; focus on requirements 3 (protect stored data), 4 (encrypt transmission), and 10 (track access).
Breach notification: GDPR requires notification within 72 hours; HIPAA requires notification within 60 days; PCI-DSS requires notification to the card brands immediately.
Penalties: GDPR up to 4% of global turnover; HIPAA up to $1.5 million per year; PCI-DSS fines vary.
Interaction with Other Technologies
Encryption (e.g., TLS) helps meet HIPAA and PCI-DSS requirements for data in transit.
Firewalls and IDS/IPS are used to meet PCI-DSS requirement 1.
Access control systems (e.g., Active Directory) help enforce need-to-know for all regulations.
Backup and disaster recovery procedures support GDPR's storage limitation and HIPAA's data availability.
Identify Applicable Regulations
Determine which regulations apply to the organization based on its industry, location, and data types. For example, a US hospital must comply with HIPAA; an e-commerce site selling to EU customers must comply with GDPR; any business accepting credit cards must comply with PCI-DSS. The 220-1102 exam will present scenarios where you need to identify which regulation(s) apply.
Classify Data and Assets
Inventory all data and classify it based on sensitivity. For GDPR, identify personal data (e.g., name, email, IP address). For HIPAA, identify PHI (e.g., medical records, health insurance info). For PCI-DSS, identify cardholder data (e.g., primary account number, expiration date). This step is critical for implementing appropriate controls.
Implement Policies and Procedures
Create and enforce written policies that address each regulation's requirements. For GDPR, include data retention and deletion policies. For HIPAA, include privacy and security policies. For PCI-DSS, include an information security policy (requirement 12). Policies must be reviewed annually and updated as needed.
Deploy Technical Controls
Implement technical safeguards such as firewalls (PCI-DSS req 1), encryption (req 3 & 4), access controls (req 7 & 8), logging (req 10), and anti-malware (req 5). For HIPAA, ensure technical safeguards like access controls and audit controls are in place. For GDPR, implement data protection by design and default, including pseudonymization.
Train Employees and Conduct Audits
Provide regular training to employees on compliance obligations. Conduct periodic audits to verify controls are working. For PCI-DSS, perform quarterly network scans and annual assessments. For HIPAA, conduct risk analyses. For GDPR, maintain records of processing activities and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
In a typical enterprise, compliance is a cross-functional effort involving IT, legal, and security teams. For example, a multinational company that processes credit card payments from EU customers must comply with both GDPR and PCI-DSS. The IT team must ensure that cardholder data is encrypted both at rest (using AES-256) and in transit (using TLS 1.2 or higher). They must also implement network segmentation so that the cardholder data environment (CDE) is isolated from the rest of the network, meeting PCI-DSS requirement 1. Logging must capture all access to cardholder data, with logs retained for at least one year (three years for PCI-DSS).
A common challenge is managing data retention. GDPR requires that personal data be kept only as long as necessary, while PCI-DSS requires that cardholder data be retained only for business or legal reasons (e.g., for chargebacks). Misconfiguration can lead to data being kept too long, causing GDPR non-compliance, or deleted too early, causing PCI-DSS issues. Another frequent problem is failing to properly scope the CDE: if a server that processes credit cards is also used for other purposes, it may be in scope for PCI-DSS, requiring additional controls.
For HIPAA, a healthcare provider might use a cloud-based EHR system. The provider must have a Business Associate Agreement (BAA) with the cloud vendor. The IT team must ensure that ePHI is encrypted and that access is logged. A common pitfall is using unencrypted email to transmit patient information—this violates the HIPAA Security Rule. Another is failing to conduct a risk analysis, which is the foundation of HIPAA compliance. Without it, the organization cannot identify vulnerabilities and implement appropriate safeguards.
Performance considerations: Encryption can introduce latency, so hardware acceleration (e.g., AES-NI) may be needed. Logging can generate massive volumes of data; a SIEM system is often used to aggregate and analyze logs. For PCI-DSS, quarterly ASV scans can be disruptive if not scheduled properly. In production, it's common to have a dedicated compliance team that works with IT to ensure controls are maintained and evidence is collected for audits.
The 220-1102 exam tests compliance under Objective 2.2 (Given a scenario, apply security best practices to secure endpoints). You should be able to identify which regulation applies based on the scenario's data type and geography. The exam often presents a scenario where a company handles health information—you must recognize HIPAA. If the scenario involves EU customers, think GDPR. If it involves credit card data, think PCI-DSS.
Common wrong answers: Candidates often confuse HIPAA with PCI-DSS because both involve sensitive data. Remember: HIPAA is for health data only; PCI-DSS is for payment card data. Another trap: assuming GDPR only applies to companies in the EU—it applies to any company that processes EU personal data. Also, candidates may think that PCI-DSS requires annual audits for all merchants—only Level 1 merchants require on-site assessments; lower levels use SAQs.
Specific numbers to memorize:
GDPR breach notification: within 72 hours.
HIPAA breach notification: without unreasonable delay, no later than 60 days.
PCI-DSS: quarterly network scans, annual assessments (for Level 1).
GDPR fine: up to €20 million or 4% of global turnover.
HIPAA fine: up to $1.5 million per year.
Edge cases: The exam may test that a business associate of a covered entity is also subject to HIPAA. For PCI-DSS, they might ask about tokenization vs. encryption—tokenization replaces card numbers with a token, reducing scope. Also, note that PCI-DSS does not require encryption of cardholder data if it is tokenized.
To eliminate wrong answers, focus on the type of data and the applicable law. If the question mentions 'personal data' and 'EU', it's GDPR. If it mentions 'PHI' or 'health information', it's HIPAA. If it mentions 'cardholder data' or 'PAN', it's PCI-DSS. If the question asks about a requirement like 'assign unique IDs', that's PCI-DSS requirement 8. 'Right to be forgotten' is GDPR. 'Privacy Rule' is HIPAA.
GDPR applies to any organization processing EU personal data, regardless of location.
HIPAA applies to US healthcare providers, health plans, clearinghouses, and their business associates.
PCI-DSS applies to any entity that handles credit card data.
GDPR breach notification deadline is 72 hours.
HIPAA breach notification deadline is 60 days.
PCI-DSS requires quarterly network scans and annual assessments (for Level 1).
HIPAA has three safeguard categories: administrative, physical, technical.
PCI-DSS has 12 core requirements; know requirements 3, 4, 10 for the exam.
GDPR includes the right to erasure (right to be forgotten).
Non-compliance penalties: GDPR up to 4% of turnover; HIPAA up to $1.5M/year; PCI-DSS fines vary.
These come up on the exam all the time. Here's how to tell them apart.
GDPR
Applies to personal data of EU residents.
Fines up to €20 million or 4% of global turnover.
Breach notification within 72 hours.
Includes rights like erasure and portability.
Enforced by EU supervisory authorities.
HIPAA
Applies to PHI of US patients.
Fines up to $1.5 million per year.
Breach notification within 60 days.
Includes rights like access and amendment.
Enforced by HHS Office for Civil Rights.
HIPAA
Protects health information (PHI).
Requires administrative, physical, technical safeguards.
Business associates must sign BAAs.
Risk analysis required.
Applies to covered entities and business associates.
PCI-DSS
Protects cardholder data (PAN, etc.).
12 specific requirements including firewall, encryption, logging.
Third-party service providers must be validated.
Quarterly network scans required.
Applies to any entity that stores, processes, or transmits cardholder data.
Mistake
GDPR only applies to companies based in the EU.
Correct
GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. This is known as extraterritorial scope.
Mistake
HIPAA only applies to doctors and hospitals.
Correct
HIPAA applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (third parties that handle PHI). This includes insurance companies, billing services, and cloud storage providers.
Mistake
PCI-DSS requires encryption of all stored cardholder data.
Correct
PCI-DSS requires that stored cardholder data be rendered unreadable, which can be achieved through encryption, truncation, tokenization, or hashing. Encryption is one method, but not the only one.
Mistake
If you use a third-party payment processor, you are not subject to PCI-DSS.
Correct
Even if you outsource payment processing, you may still be subject to PCI-DSS if you handle cardholder data in any way (e.g., via your website or point-of-sale system). Many merchants use SAQs to validate compliance.
Mistake
Compliance with one regulation ensures compliance with all others.
Correct
Each regulation has unique requirements. For example, GDPR emphasizes data subject rights, while HIPAA focuses on patient privacy and security. PCI-DSS is specific to cardholder data. Compliance with one does not automatically satisfy the others.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of the controller. For example, a hospital (controller) may use a cloud storage provider (processor) to store patient records. The controller is ultimately responsible for compliance, but processors must also adhere to GDPR obligations.
No, HIPAA does not mandate encryption, but encryption is an addressable implementation specification under the Security Rule. If encryption is not used, the covered entity must document why it is not reasonable and implement an equivalent alternative measure. In practice, encryption is strongly recommended and often required by other regulations.
A BAA is a contract between a covered entity and a business associate that specifies how the business associate will handle PHI. It must include permitted uses, safeguards, breach notification, and return or destruction of PHI. Without a BAA, a covered entity cannot share PHI with a third party.
Level 1: over 6 million transactions per year. Level 2: 1 to 6 million transactions. Level 3: 20,000 to 1 million e-commerce transactions. Level 4: fewer than 20,000 e-commerce transactions or up to 1 million other transactions. Level 1 requires an on-site assessment by a QSA; lower levels may use SAQs.
The right to erasure allows individuals to request deletion of their personal data when it is no longer necessary for the purpose for which it was collected, or if they withdraw consent. The controller must comply without undue delay, unless there are overriding legal grounds to retain the data.
Validation frequency depends on merchant level. Level 1 merchants require an annual on-site assessment and quarterly network scans. Level 2-4 merchants may use annual SAQs and quarterly scans. All merchants must maintain continuous compliance and respond to any changes.
An SAR is a request by an individual to obtain a copy of their personal data held by a controller. The controller must respond within one month (extendable by two months for complex requests). The information must be provided in a commonly used electronic format. This is similar to HIPAA's right of access.
You've just covered Basic Compliance: GDPR, HIPAA, PCI-DSS — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?