Cross-jurisdictional crosswalk
One control requirement.
19 different regulatory answers.
Pick a canonical control. See exactly which clause each of the 19 jurisdictions uses to enforce it, which treat it as advisory only, which are silent. No generic checklists. Every citation is anchored to the primary source — the same clause used in the assessment questions.
Impact assessment for high-risk AI processing
Must your organisation run a documented risk / privacy / AI impact assessment before deploying an AI system that processes personal data at scale, or in a high-risk context (credit, hiring, healthcare, law enforcement)?
| Jurisdiction | Status | Clause citation |
|---|---|---|
| PHPhilippines | Required | NPC Advisory 2024-04 §IV · DPA IRR §34(b) |
| EUEuropean Union | Required | GDPR Art. 35 · EU AI Act Art. 9 · Art. 27 (FRIA) |
| SGSingapore | Advisory | PDPC AI Model Governance Framework 2024 · IMDA MGF-GenAI |
| MYMalaysia | Advisory | AIGE 2024 §6 (risk assessment) · BNM RMiT (FIs) |
| HKHong Kong | Advisory | PCPD Model Framework 2024 §4 (risk assessment) |
| THThailand | Required | PDPA B.E. 2562 s.32 (for sensitive / large-scale) |
| IDIndonesia | Required | UU PDP Pasal 28 (DPIA) |
| JPJapan | Advisory | METI/MIC AI Guidelines v1.1 Risk Assessment |
| KRSouth Korea | Required | PIPA Art. 33 (PIA) · AI Basic Act Art. 32 (high-impact AI) |
| AUAustralia | Advisory | OAIC AI Guidance (Oct 2024) · DISR VAISS Principle 4 |
| USUnited States | Partial | NIST AI RMF MAP · Colorado AI Act §6-1-1703 (high-risk) Federal: voluntary. State: Colorado mandates; NYC LL 144 bias audit |
| CACanada | Partial | Quebec Law 25 §3.3 (PIA) · OSFI E-23 (FIs) Federal PIPEDA: accountability principle only |
| BRBrazil | Required | LGPD Art. 38 (at ANPD request) · ANPD Res. 15/2024 |
| MXMexico | Advisory | LFPDPPP 2025 Art. 5 (responsabilidad) |
| UKUnited Kingdom | Required | UK GDPR Art. 35 · ICO AI Guidance 2023/2024 |
| CHSwitzerland | Required | revised FADP Art. 22 (for high-risk) |
| INIndia | Partial | DPDP Act §10 (Significant Data Fiduciary — DPIA + periodic audit) · MEITY Draft Rules 2025 Rule 12 Mandatory for Significant Data Fiduciaries only; general Data Fiduciaries: no statutory DPIA |
| AEUAE | Advisory | UAE PDPL Art. 10 (DPO requirement) · Dubai AI Ethics Principles 2019 §3 (risk assessment) No statutory DPIA obligation; risk assessment recommended under Dubai AI framework |
| ISOInternational | Required | ISO/IEC 42001 §6.1 · ISO/IEC 23894 (AI risk) |
When your regulator calls, you can answer — clause by clause.
Every gap on your assessment report names the exact regulatory article that creates the obligation and the specific evidence artefact the regulator expects to see. Not a consultant's opinion. Not a generic checklist. The primary source — cited.
256
clause-anchored questions across 19 jurisdictions
19
live regulatory frameworks — APAC, Americas, EMEA
100%
of gaps name the expected evidence artefact