cdpse-d1-governance-privacy-laws-and-standards-across-jurisdictions

Privacy Laws and Standards Across Jurisdictions

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 6, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Privacy Laws and Standards Across Jurisdictions

Privacy Laws and Standards Across Jurisdictions is the body of legally binding regulations, voluntary standards, and governance frameworks that govern how organizations collect, process, store, transfer, and delete personal data — varying by geography, sector, and data type. The core competency is threefold: identify which laws apply to a given data processing activity, determine what controls those laws require, and design governance structures that satisfy multiple overlapping regimes simultaneously. It encompasses major regulations (GDPR, CCPA/CPRA, LGPD, PIPL, DPDPA), sectoral standards (HIPAA, PCI-DSS), and technical standards (ISO/IEC 27701, NIST Privacy Framework).

Where it stops · what it isn't

—IS: Legally enforceable privacy regulations and recognized technical standards governing personal data processing (e.g., GDPR, CCPA/CPRA, LGPD, HIPAA, ISO/IEC 27701, NIST Privacy Framework)
—IS: The governance competency of mapping applicable laws to organizational data flows, designing compliant controls, and managing multi-jurisdictional compliance programs
—IS: Requirements for data subject rights (access, deletion, portability, opt-out), consent mechanisms, breach notification timelines, cross-border transfer restrictions, and Data Protection Impact Assessments (DPIAs)
—IS NOT: A substitute for qualified legal counsel on jurisdiction-specific interpretation
—IS NOT: Pure cybersecurity or IT security architecture — GDPR Article 32 security requirements are in scope, but network architecture is not
—IS NOT: General data governance disciplines (data quality, data architecture) — related but distinct
—IS NOT: Intellectual property law, contract law, or other non-privacy regulatory domains

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

ISACA CDPSE Domain 1: Privacy Governance

REQUIRES

Data Lifecycle Management and ClassificationOrganizational Risk Management Frameworks

ENABLES

Privacy Impact Assessment (PIA) / DPIA ExecutionCross-Border Data Transfer ArchitectureConsent Management and Data Subject Rights Programs

RELATED TO

Privacy-by-Design Principles and ImplementationPrivacy Governance Roles and Structures (DPO, CPO)

CONSTRAINS

Data Retention and Deletion PoliciesThird-Party Vendor and Processor Management

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.