Regulations are not a reason to stop — they are a design constraint
The regulatory landscape for AI and data is frequently cited as "uncertain" or "evolving." This framing is often used to justify inaction. In reality, the core regulations are well-established, their requirements for AI data handling are largely clear, and the remaining uncertainties are at the margins, not the centre.
GDPR has been enforceable since 2018. HIPAA has been law since 1996. CCPA took effect in 2020. PCI DSS has been around since 2004. These are not new or ambiguous frameworks. What is relatively new is the application of these frameworks to AI systems, and even here, regulators have provided substantial guidance.
This module maps each major regulation to its specific requirements for AI data handling. The goal is precision: what does each regulation actually require, what does it not require, and where are the genuine grey areas? By the end, you should be able to assess your AI data handling against each applicable regulation without conflating one regulation's requirements with another's.
