Regulation Explorer
Browse which personal data types each regulation covers. Select a framework to see the specific clauses, severity classifications, and redaction requirements for each PII pattern type.
General Data Protection Regulation (EU)
Any personal data of EU/EEA residents. Extraterritorial — applies regardless of where processing occurs.
12 PII patterns governed by this framework
US Social Security Numbers in XXX-XX-XXXX format with area/group/serial validation
Visa, Mastercard, Amex, Discover card numbers validated with Luhn algorithm
Standard email address format detection
US phone numbers in common formats: (555) 123-4567, 555-123-4567, +1 555.123.4567
Dates in MM/DD/YYYY or MM-DD-YYYY format within valid ranges (1900–2099)
US street addresses: number + street name + type (St, Ave, Blvd, Dr, etc.)
IPv4 addresses with octet range validation (excludes loopback and broadcast)
International Bank Account Numbers (15–34 chars): country code + check digits + BBAN
US passport numbers (8–9 digits, optional letter prefix) detected near "passport" context
Medicare Beneficiary Identifier (post-2020 format): 1A12-AB1-CD23
ISO 3779 Vehicle Identification Numbers (17 chars, excludes I/O/Q) with check digit validation
Driver’s license numbers detected near contextual keywords (format varies by state)
Coverage Comparison
| PII Type | GDPR | CCPA | HIPAA | PCI DSS |
|---|---|---|---|---|
| Social Security Number | Art. 87 | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| Credit/Debit Card Number | Art. 4(1) | §1798.140(v)(1)(C) | — | Req 3.3 / 3.5.1 |
| Email Address | Art. 4(1) / Recital | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| US Phone Number | Art. 4(1) | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| Date of Birth | Art. 4(1) | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| US Street Address | Art. 4(1) | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| IPv4 Address | Art. 4(1) / Recital | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| IBAN (International Bank Account) | Art. 4(1) | §1798.140(v)(1)(C) | — | — |
| Employer Identification Number | — | §1798.140(v)(1)(B) | — | — |
| US Passport Number | Art. 87 | §1798.140(v)(1)(A) | — | — |
| Medicare Beneficiary Identifier | Art. 9(1) | §1798.140(v)(1)(E) | Safe Harbor §164.514 | — |
| Vehicle Identification Number | Art. 4(1) | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
| Driver’s License Number | Art. 87 | §1798.140(v)(1)(A) | Safe Harbor §164.514 | — |
Understanding Regulation Scope
GDPR — Broadest Scope
Covers any information relating to an identified or identifiable natural person. IP addresses, online identifiers, and location data are explicitly included. Extraterritorial — applies to any organization processing EU resident data.
HIPAA — Most Specific
Enumerates exactly 18 identifier types that must be removed for Safe Harbor de-identification. Each has a specific subsection in §164.514(b)(2)(i). The most prescriptive of the four frameworks.
PCI DSS — Narrowest Focus
Only covers payment card data: Primary Account Number (PAN), cardholder name, expiration date, service code, and sensitive authentication data. The most targeted framework.
Frequently Asked Questions
What regulations does Docually cover?
Docually maps PII findings to four frameworks: GDPR (EU General Data Protection Regulation), CCPA (California Consumer Privacy Act §1798.140), HIPAA (Safe Harbor de-identification standard §164.514 — the 18 identifiers), and PCI DSS (Payment Card Industry Data Security Standard v4.0). Each framework has different scope, jurisdiction, and requirements.
Why do different regulations care about different PII types?
Each regulation was written for a different purpose. HIPAA focuses on health data de-identification (18 specific identifier types). PCI DSS only covers payment card data. GDPR takes the broadest view — any data that can identify a natural person. CCPA covers a wide range but only for California residents. Understanding which laws apply to which data types is the first step in compliance.
What does the coverage table show?
The coverage comparison table shows all 13 PII pattern types and which of the four regulation frameworks govern each type. A clause reference means that regulation has a specific provision addressing that data type. A dash means the regulation does not directly address that pattern type (though it may still be covered under broader definitions).
Is this legal advice?
No. Docually provides regulation references for educational and compliance-workflow purposes. The clause citations are sourced from published regulation text but do not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization and jurisdiction.
How current are the regulation references?
GDPR references follow the 2016 regulation text (in force since May 2018). CCPA references include the CPRA amendments effective January 2023. HIPAA Safe Harbor follows 45 CFR §164.514 as currently codified. PCI DSS references follow version 4.0 (effective March 2024). References are reviewed periodically.