Guide
Data Privacy Laws and Compliance: What You Need to Know to Ensure Compliant Non-Production Data
Security & Compliance,
Data Management
Welcome to your Data Protection and Privacy Laws Guide: DevOps Edition!
In countries and industries across the globe, data privacy laws and regulations abound — and there’s surely more to come. Perforce Delphix is here to keep you up to date and compliant as you navigate how to best secure data in non-production environments and across your DevOps team.
This resource will provide you with insights into these data privacy laws, how they’re enforced, non-compliance risks, and what tools will help you best maintain compliance during application development, quality assurance, and more.
Read along or jump ahead to the section most applicable to you:
Background on Data Privacy Regulations
According to our 2025 State of Data Compliance and Security Report, 100% of the 280 enterprise leaders surveyed have data subject to privacy regulations in non-production.
Regulatory compliance plays a role in decision-making for organizations subject to privacy laws like HIPAA, CCPA, or GDPR. These regulations are often the foundation for application planning.
When you have data for application development, the best approach is “privacy by design,” meaning you take a proactive approach to data privacy and protection laws in the development of products, processes, and systems. That way, you have consistent compliance measures, end-to-end security, full functionality, and more.
Who Oversees Data Privacy Regulations?
When organizations are subject to data privacy laws, they’re monitored by entities dedicated to ensuring compliance. Here are a few:
- Data Protection Authorities: The enforcer of GDPR laws within the European Union. Each EU member states has a separate data protection authority that act as independent public authorities to supervise, investigate, and apply data protection laws.
- Monetary Authorities:
- Monetary Authority Singapore: Singapore’s de-facto central bank. Aside from its normal responsibilities of controlling financial reserves and issuing government securities, it regulates the financial sector within Singapore. It also regulates and encourages innovation within the FinTech sector.
- Monetary Authority Hong Kong: Hong Kong’s de-facto central bank. Among its other responsibilities (controlling interest rates, developing financial infrastructure, etc.), it also helps set rules and regulations that influence financial and business systems.
- Australian Securities Investment Commission: The primary regulator for Australia’s financial markets and all business areas (including any international company with businesses operating in Australia).
Data Privacy Regulations by Region
Global data privacy laws can and will influence any organizations’ operations. Let’s break down some international privacy laws by country and region, so you know how to address each of their requirements.
North America
United States
California Consumer Privacy Act (CCPA)
The state of California’s CCPA ensures that organizations must disclose what personal information gets collected, sold, and/or shared by companies. As a result, you must give accessible options for consumers to opt in or out of data sales, request data access, and get a better understanding of your data collection practices.Further reading: The Cost of CCPA Compliance Is Steeper Than You Think
California Privacy Rights Act (CPRA)
California’s CPRA of 2020 is an extension of the above data privacy law. It broadens consumer rights, with the expansion of what data is considered “sensitive personal information.” This term now includes geolocation, race, genetic information, and more. See how the CPRA may affect your approach to data privacy.
Maryland Personal Information Protection Act (PIPA)
The Maryland PIPA focuses on data breach notification, as the number of them continues to increase. Under PIPA, there are strict parameters on how businesses should collect, use, and disclose data. Here’s how you can ensure you meet these PIPA standards.
Massachusetts Data Protection Law
In Massachusetts, this regulation outlines the certain requirements that organizations must fulfill to safeguard state residents’ data. Are you operating in Massachusetts? See why it’s considered one of the nation’s strictest policies.
The Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act)
New York state’s SHIELD Act has prompted organizations to take a closer look at administrative, technical, and physical safeguards for computerized personal data. Anybody who owns or licenses computerized data — whether an organization or individual — must adopt a Cybersecurity Program. Learn what that NY SHIELD required program entails.
Canada
Personal Information Protection and Electronic Documents Act (PIPEDA)
This national private sector data privacy law in Canada protects internet users’ privacy rights. Organizations under PIPEDA must inform these users of their data handling then get consent from them to collect, use, and disclose sensitive, personal information. Are you subject to PIPEDA? Take a look at PIPEDA requirements.
Europe
General Data Protection Regulation (GDPR)
The GDPR is one of the European data protection laws that gives European Union (EU) citizens more control over their data like name, birth date, address, phone number, etc. It permits these consumers the right to access, correct, erase, or withdraw consent to use their data. See what these GDPR permissions mean for your organization, as well as how you should use AI under GDPR.
Learn how you can go the extra mile to guarantee you are compliant under GDPR. Our own Grant Ward walks through data masking and how it helps meet the necessary regulatory requirements of GDPR.
Sky Italia worked with Perforce Delphix to achieve GDPR compliance in five months, which resulted in a 90%+ reduced infrastructure footprint.
Read Sky Italia’s story
Digital Operational Resilience Act (DORA)
The DORA regulation laid out cyber resilience requirements for financial institutions and third-party information and communication technology (ICT) providers. With the goal of strengthening cybersecurity for financial institutions and sector, DORA mandates that institutions:
- Harmonize legacy ICT regulations
- Reinforce ICT risk management frameworks
- Improve catastrophic failure response and reporting
- Introduce third-party risk management
Further resources:
- [eBook] Get DORA Ready: Avoid Penalties and Stay Secure
- [Webinar] EU’s Digital Operational Resilience Act (DORA): Protect Sensitive Data & Infrastructure at Scale
South America
Lei Geral de Proteção de Dados Pessoais do Brasil (LGPD)
Brazil’s LGPD data protection law details strict requirements for processing personal and sensitive data, including individuals and companies’ processing activities (like data collection). Whether you’re operating your business in Brazil or collecting personal data from a Brazilian, this protection applies to you. See what LGPD entails.
Africa
Protection of Personal Information Act (POPIA) South Africa
POPIA, a quintessential data privacy law in South Africa, dictates that data-bearing businesses are culpable for data breaches and non-compliance. It also requires that businesses must obtain formal consent to process special types of data and minors’ data. See what other POPIA parameters are in place for your organization.
South Africa’s Joint Standard 2 (JS2)
The JS2 regulatory rule in South Africa determines how financial institutions should protect and manage sensitive data, audit their systems, and report any data breaches. Now, these banks and organizations must implement robust data protection measures. Read and understand how these JS2 standards affect operations.
Asia
Personal Data Protection Act (PDPA) of Singapore
The PDPA regulates the collection, use, and disclosures of Singapore residents’ personal data, i.e., any piece of information that could be used to identify the individual. Under this law, you must get consent, be transparent on why you’re collecting data, notify the consumer, and more. Take a closer look at the full list of PDPA requirements.
The Japan Act on the Protection of Personal Information (APPI)
Under APPI, any organization conducting business in Japan or with its citizens must comply by deleting citizens’ personal data when requested, reporting data breaches, and disclosing personal information operators’ addresses. The APPI also details parameters for specific industries such as healthcare, finance, and telecommunications. See if you’re subject to these APPI requirements, to maintain compliance.
The Middle East
The Saudi Arabia Personal Data Protection Law (PDPL)
Personal data processing in Saudi Arabia is protected under the PDPL, and organizations are held accountable to protect consumer data. Unlike some regulations, this law does not include the right to object to personal data processing. Understand how your organization will need to accommodate PDPL when working in Saudi Arabia or with its citizens.
Back to top
Data Privacy Regulations by Industry
Certain industries that interact with sensitive information have data privacy laws, guidelines, and restrictions they must abide by. Take a look at considerations for these three different industries:
Healthcare Data Privacy Regulations
Health Insurance Portability and Accountability Act (HIPAA) compliance is the foundation of data privacy measures for the healthcare industry. From protecting personal health information to using data in non-production environments, assess how your organization needs to address HIPAA.
Data masking can also help lift the burden of compliance off healthcare organizations. See how in this webinar:
Looking for a HIPAA data privacy success story?
SelectHealth, with the help of Delphix, cut its innovation time to minutes while still meeting HIPAA compliance requirements.
Read SelectHealth’s story
Molina Healthcare also found new application development efficiencies while keeping HIPAA in mind, thanks to Delphix.
Read Molina Healthcare’s story
Financial Data Privacy Regulations
Financial data security compliance includes a few different data privacy regulations. Financial institutions should follow and/or keep an eye on these respective laws:
Basel III
Basel III (also known as Basil 3) is a set of banking regulations introduced after the 2008 Global Financial Crisisto. It was implemented to help banks’ resiliency amid financial stress. Learn what Basel III means for your financial institution and how it influences your risk models.
Open Banking/PSD2
Open banking, which is being adopted at a varied pace, aims to enable secure interoperability and still maintain consumer centricity, security, and trust. Discover the goals of open banking, such as leveraging APIs and adopting a consistent, unified, and automated approach to data.
Gramm-Leach-Billey Act (GLBA)
The GLBA safeguards financial information and consumer data in the United States and covers industries including financial institutions (as well as insurance providers, retailers, and higher education). GLBA compliance involves three sections that govern how private financial information is collected and disclosed. Get to know GLBA parameters now.
Business Data Privacy Regulations
Through transactions, businesses, retailers and merchants can get access to sensitive data — specifically cardholder data like credit card numbers — that needs protecting.
That’s where the Payment Card Industry Data Security Standard (PCI DSS) comes in. Businesses must adhere and meet standards like protecting cardholder data with two-fold encryption and masking credit card information in application development, testing, analytics, etc.
Back to top
What are the Risks of Non-Compliance?
Despite growing concern about regulatory compliance, the 2025 State of Data Compliance and Security Report found that 84% of surveyed organizations allow compliance exceptions in non-production. As a result, we see non-compliance and sensitive data sprawl, where data is uncontrollably shared across the organization and its different systems (including third parties).
Common Consequences of Data Privacy Non-Compliance
Such vulnerabilities can lead to further data privacy risks. Your organization may face data violations and concerns such as:
Increased susceptibility to breaches
Having sensitive data where it shouldn’t be (e.g., unmasked in non-production environments) will give more opportunities for fraudsters to take advantage of your organization.
Adverse impact on customers
At their core, data privacy regulations are to protect the consumer. If violated, these individuals can experience personal and financial damage — and more.
Reputational damage
In the same vein, if you are found violating data privacy laws, you can suffer reputational damage, lose consumer and partner trust, and diminish your market share.
Fines
Many data protection and privacy laws have fines for violations. For example, GDPR fines up to €20 million or 4% of annual global revenue and the GLBA enforces a $100,000 fine per violation.
Lawsuits
Some individual employees or board members can be found liable for data privacy violations. For example, in 2018, a person who stole and sold customer records and violated the United Kingdom’s Data Protection Act received a six-month prison sentence.
Does AI Pose a Risk for Data Privacy Law Non-Compliance?
AI poses additional risk to data privacy. Respondents in the State of Data Compliance and Security Report said they are “very” or “extremely” concerned about theft of model training data (78%), privacy compliance audits (68%), and personal data reidentification (67%).
When it comes to AI and data privacy, it’s important to remember that AI models can inadvertently expose sensitive data if you use that data to train it. Learn how AI and data privacy can coexist and work together.
To reduce your compliance risk and avoid repercussions, read up on actionable insights from our eBook >>> Protecting Personal Information is the Key to Reducing Compliance Risk
2025 Data Compliance Findings: What You Don’t Know CAN Hurt You
Want to know what other risks your organization faces, related to data compliance? Watch the recent webinar from our Delphix colleagues Ann Rosen and Ross Millenacker, who break down insightful stats on data masking, synthetic data, regulatory concerns, and more.
Back to top
How Does Perforce Delphix Help You Stay Compliant?
The key to thorough, consistent compliance is data masking. Data masking, which is the replacement of real data with realistic, fictitious values, reduces risk and ensures you meet compliance standards. With this capability and other Delphix data compliance solutions, you can automate your organization’s data compliance laws.
Fulfill Your Country’s Data Privacy Regulations
Ensure you meet all required global data privacy laws — Delphix can help. We’ve worked with organizations around the world, to secure non-production environments, mask data, and meet compliance requirements. Delphix centralizes masking policies and deploys them across your organization so that you have consistent, effective data compliance.
Meet Industry-Specific Regulatory Needs
From healthcare to retail, each industry has its own parameters for data privacy. By partnering with Delphix, your organization can meet whatever specialized needs it has. Our data masking paired with data virtualization will de-identify information and allow it to be shared across the organization without fear of sensitive data sprawl or breaches.
Mask Your Data with Delphix
Delphix specializes in static data masking, which is irreversible and guarantees that the data cannot be reidentified. This approach best fits the needs of organizations under strict data privacy regulations. Delphix will automate data privacy for your organization. You can see it for yourself — our custom demo will show you exactly how your organization can achieve compliance through data masking.