GDPR and HIPAA are two of the most influential data-protection regimes in the world — one governing the personal data of people in the EU, the other the health information of people in the US.
Both impose specific obligations on how data is collected, used, protected, and disclosed, and both carry significant penalties, making them frequent drivers of GRC programs.
This page is part of our GRC frameworks hub.
For the broader discipline, see our complete guide to governance, risk, and compliance.
GDPR: EU data protection
The General Data Protection Regulation (GDPR) is the EU’s comprehensive data-protection law, in force since 2018. It applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is based, giving it broad extraterritorial reach. GDPR is built on principles such as lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
See the latest GRC Webinars (Updated Daily!)
It grants individuals rights over their data — access, rectification, erasure, portability, and more — and requires breach notification, typically within 72 hours. Penalties can reach the higher of €20 million or 4% of global annual turnover, which is why GDPR commands board-level attention.
HIPAA: US health information
The Health Insurance Portability and Accountability Act (HIPAA) governs the protection of health information in the US.
Its Privacy Rule controls how protected health information (PHI) may be used and disclosed, while its Security Rule sets administrative, physical, and technical safeguards for electronic PHI. HIPAA applies to “covered entities” (healthcare providers, plans, and clearinghouses) and their “business associates” — vendors that handle PHI on their behalf — which is why HIPAA obligations flow through third-party risk management.
How GDPR and HIPAA fit a GRC program
Both regulations are tracked as obligations within compliance management, mapped to the controls that satisfy them, and supported by evidence that demonstrates conformance. Privacy-focused platforms (such as those in our GRC software directory) automate much of the work — data mapping, consent and rights management for GDPR, and safeguard documentation for HIPAA. Because both regimes emphasize accountability and breach response, they connect GRC closely to data security and security operations.
Frequently asked questions
What is GDPR?
GDPR is the EU’s General Data Protection Regulation, a comprehensive law governing the processing of personal data of individuals in the EU. It applies extraterritorially, grants individuals rights over their data, and carries penalties up to the higher of €20 million or 4% of global annual turnover.
What is HIPAA compliance?
HIPAA compliance means meeting the requirements of the US Health Insurance Portability and Accountability Act for protecting health information — its Privacy Rule (use and disclosure of PHI) and Security Rule (safeguards for electronic PHI) — and applies to covered entities and their business associates.
Does GDPR apply to companies outside the EU?
Yes. GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is located, which gives it broad global reach.
What is the difference between GDPR and HIPAA?
GDPR is a broad EU regulation covering all personal data; HIPAA is a US sector law covering health information specifically. Both impose data-protection obligations, but they differ in scope, jurisdiction, and the type of data they govern.