Regulation Explorer

Browse which personal data types each regulation covers. Select a framework to see the specific clauses, severity classifications, and redaction requirements for each PII pattern type.

General Data Protection Regulation (EU)

Any personal data of EU/EEA residents. Extraterritorial — applies regardless of where processing occurs.

12 PII patterns governed by this framework

criticalSocial Security Numberidentifier
GDPRArt. 87 — National identification numbers require specific safeguards under member state law

US Social Security Numbers in XXX-XX-XXXX format with area/group/serial validation

Redaction: Replace with [SSN REDACTED] or mask as XXX-XX-####
criticalCredit/Debit Card Numberfinancial
GDPRArt. 4(1) — Financial account data constitutes personal data when linkable to a natural person

Visa, Mastercard, Amex, Discover card numbers validated with Luhn algorithm

Redaction: Mask to first 6 and last 4 digits per PCI DSS, or replace with [CARD REDACTED]
mediumEmail Addresscontact
GDPRArt. 4(1) / Recital 30 — Email is personal data; online identifiers are explicitly included in scope

Standard email address format detection

Redaction: Replace with [EMAIL REDACTED] or mask as u***@domain.com
mediumUS Phone Numbercontact
GDPRArt. 4(1) — Telephone numbers constitute personal data when attributable to a natural person

US phone numbers in common formats: (555) 123-4567, 555-123-4567, +1 555.123.4567

Redaction: Replace with [PHONE REDACTED] or mask as (XXX) XXX-####
highDate of Birthidentifier
GDPRArt. 4(1) — Date of birth is personal data directly identifying or contributing to identification

Dates in MM/DD/YYYY or MM-DD-YYYY format within valid ranges (1900–2099)

Redaction: Replace with [DOB REDACTED]. For HIPAA, year-only is permitted if age ≤89
highUS Street Addresscontact
GDPRArt. 4(1) — Physical address is personal data enabling location of a natural person

US street addresses: number + street name + type (St, Ave, Blvd, Dr, etc.)

Redaction: Replace with [ADDRESS REDACTED]. For HIPAA, only state-level geography is permitted
mediumIPv4 Addressdigital
GDPRArt. 4(1) / Recital 30 — IP addresses are explicitly named as online identifiers constituting personal data

IPv4 addresses with octet range validation (excludes loopback and broadcast)

Redaction: Replace with [IP REDACTED] or anonymize last octet (e.g., 192.168.1.0/24)
criticalIBAN (International Bank Account)financial
GDPRArt. 4(1) — Bank account numbers are personal data when linked to an identifiable person

International Bank Account Numbers (15–34 chars): country code + check digits + BBAN

Redaction: Replace with [IBAN REDACTED] or mask middle digits: XX00 XXXX … ####
criticalUS Passport Numberidentifier
GDPRArt. 87 — National identification numbers including passport require member state–specific processing conditions

US passport numbers (8–9 digits, optional letter prefix) detected near "passport" context

Redaction: Replace with [PASSPORT REDACTED]
criticalMedicare Beneficiary Identifierhealth
GDPRArt. 9(1) — Health-related identifiers are special category data requiring explicit consent or legal basis

Medicare Beneficiary Identifier (post-2020 format): 1A12-AB1-CD23

Redaction: Replace with [MBI REDACTED]. Never store or transmit in plaintext
lowVehicle Identification Numbervehicle
GDPRArt. 4(1) — Vehicle identifiers are personal data when linkable to a registered owner

ISO 3779 Vehicle Identification Numbers (17 chars, excludes I/O/Q) with check digit validation

Redaction: Replace with [VIN REDACTED]
highDriver’s License Numberidentifier
GDPRArt. 87 — National/state identification numbers processed only under specific conditions

Driver’s license numbers detected near contextual keywords (format varies by state)

Redaction: Replace with [DL REDACTED]

Coverage Comparison

PII TypeGDPRCCPAHIPAAPCI DSS
Social Security NumberArt. 87§1798.140(v)(1)(A)Safe Harbor §164.514
Credit/Debit Card NumberArt. 4(1)§1798.140(v)(1)(C)Req 3.3 / 3.5.1
Email AddressArt. 4(1) / Recital §1798.140(v)(1)(A)Safe Harbor §164.514
US Phone NumberArt. 4(1)§1798.140(v)(1)(A)Safe Harbor §164.514
Date of BirthArt. 4(1)§1798.140(v)(1)(A)Safe Harbor §164.514
US Street AddressArt. 4(1)§1798.140(v)(1)(A)Safe Harbor §164.514
IPv4 AddressArt. 4(1) / Recital §1798.140(v)(1)(A)Safe Harbor §164.514
IBAN (International Bank Account)Art. 4(1)§1798.140(v)(1)(C)
Employer Identification Number§1798.140(v)(1)(B)
US Passport NumberArt. 87§1798.140(v)(1)(A)
Medicare Beneficiary IdentifierArt. 9(1)§1798.140(v)(1)(E)Safe Harbor §164.514
Vehicle Identification NumberArt. 4(1)§1798.140(v)(1)(A)Safe Harbor §164.514
Driver’s License NumberArt. 87§1798.140(v)(1)(A)Safe Harbor §164.514

Understanding Regulation Scope

GDPR — Broadest Scope

Covers any information relating to an identified or identifiable natural person. IP addresses, online identifiers, and location data are explicitly included. Extraterritorial — applies to any organization processing EU resident data.

HIPAA — Most Specific

Enumerates exactly 18 identifier types that must be removed for Safe Harbor de-identification. Each has a specific subsection in §164.514(b)(2)(i). The most prescriptive of the four frameworks.

PCI DSS — Narrowest Focus

Only covers payment card data: Primary Account Number (PAN), cardholder name, expiration date, service code, and sensitive authentication data. The most targeted framework.

Frequently Asked Questions

What regulations does Docually cover?

Docually maps PII findings to four frameworks: GDPR (EU General Data Protection Regulation), CCPA (California Consumer Privacy Act §1798.140), HIPAA (Safe Harbor de-identification standard §164.514 — the 18 identifiers), and PCI DSS (Payment Card Industry Data Security Standard v4.0). Each framework has different scope, jurisdiction, and requirements.

Why do different regulations care about different PII types?

Each regulation was written for a different purpose. HIPAA focuses on health data de-identification (18 specific identifier types). PCI DSS only covers payment card data. GDPR takes the broadest view — any data that can identify a natural person. CCPA covers a wide range but only for California residents. Understanding which laws apply to which data types is the first step in compliance.

What does the coverage table show?

The coverage comparison table shows all 13 PII pattern types and which of the four regulation frameworks govern each type. A clause reference means that regulation has a specific provision addressing that data type. A dash means the regulation does not directly address that pattern type (though it may still be covered under broader definitions).

Is this legal advice?

No. Docually provides regulation references for educational and compliance-workflow purposes. The clause citations are sourced from published regulation text but do not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization and jurisdiction.

How current are the regulation references?

GDPR references follow the 2016 regulation text (in force since May 2018). CCPA references include the CPRA amendments effective January 2023. HIPAA Safe Harbor follows 45 CFR §164.514 as currently codified. PCI DSS references follow version 4.0 (effective March 2024). References are reviewed periodically.