Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

While the objective of protecting personal data is to be lauded, the current setup in the US is one of the most complex in the world. Twenty states. Twenty different thresholds and definitions. ‘Sale’ means one thing in California, another in Virginia. Tracking 275 daily website visitors puts you in scope for CCPA/CPRA, but not Tennessee’s law. 274 keeps you out of both. Just determining if a law even applies has become a legitimate challenge for businesses.

‍ ‍The Monetary Authority of Singapore's (MAS) Consultation Paper on Guidelines on Artificial Intelligence Risk Management, released in November 2025, dramatically altered how AI is positioned within the country’s financial supervision. The document states that the proposed Guidelines "set out MAS' supervisory expectations relating to AI risk management in financial institutions (FIs)" (p.3).

The EU Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for most products with digital elements placed on the EU market. It raises the baseline for secure-by-design/default engineering and, critically, makes post-market security support and evidence production a compliance obligation.

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs the handling of personal data belonging to individuals in the European Economic Area (EEA). It is considered one of the strictest data privacy regulations globally. ‍ If your organization processes the personal data of EU/EEA residents, complying with the GDPR is mandatory.

Rate this post Last Updated on January 16, 2026 by Narendra Sahoo GDPR and data retention — is an important aspect of organizations operating with large data processing requirements for their customers and third parties. One key area that organizations face challenges is how their data storage and handling should apply to customers: specifically, how long you’re allowed to store customer data, and why this is one of the areas where organizations get it wrong most often.

Due to growing awareness of data privacy risks, organizations face mounting pressure from regulators to safeguard sensitive personal information. This can be particularly challenging for US companies, which must adhere to both domestic regulations, such as the CCPA and HIPAA, as well as international frameworks in their target global markets.

The General Data Protection Regulation (GDPR) is the EU’s landmark law for data security and privacy, and is mandatory for any organization that processes the data of individuals within the EU. ‍ While GDPR compliance is a legal requirement, the framework also serves as a benchmark for ethical and transparent data management. For growing startups, aligning with the GDPR boosts credibility early on and signals customers and investors that privacy and trust are critical to the organization.

As AI adoption accelerates across business functions, December’s expert roundup focuses on a question many organizations are now confronting in practice rather than theory: how should companies prepare for AI related data processing under GDPR. Unlike traditional automation, AI systems often rely on large, dynamic datasets, continuous learning, and opaque decision logic.

Mexico has taken a major step toward strengthening its digital defenses with the official unveiling of its first National Cybersecurity Plan, a landmark initiative that establishes the country’s first specialized policy framework for cybersecurity.

Applicability thresholds of state privacy laws often hinge on size or scale. TDPSA is different. It puts no revenue thresholds like CCPA or CPRA. So if your business operates in Texas or reaches the state’s residents, you’re most likely inside the scope already. The law took effect on July 1, 2024, and by January 2025, the universal opt-out obligations became fully enforceable. That transition is what moved TDPSA from a policy update to a website-level requirement.