Compare jurisdictions

Side-by-side view of the obligations each covered law imposes, grouped by category. Use this to spot where requirements overlap (one well-written control often satisfies multiple jurisdictions).

Category	🇪🇺European Union / EEA	🇬🇭Ghana	🇰🇪Kenya	🇳🇬Nigeria	🇺🇸United States (California)
Governance & Accountability	GDPR-Art-37 Appoint a Data Protection Officer (DPO) where required A DPO is required for public authorities, large-scale monitoring, or large-scale special-category data processing. GDPR-Art-5 Adhere to the principles of processing Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, accountability.	GH-Principles Apply the eight data protection principles Accountability, lawfulness, specification of purpose, compatibility of further processing, quality, openness, safeguards, data subject participation.	KE-Principles Apply data protection principles Lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity/confidentiality.	NG-DPO Appoint a Data Protection Officer where required Controllers of major importance and processors of high-risk data must appoint a DPO and publish their contact. NG-Principles Observe principles of personal data processing Lawfulness, fairness, transparency, purpose specification, accuracy, storage limitation, integrity and confidentiality, accountability.	—
Lawful basis & consent	GDPR-Art-6 Establish a lawful basis for each processing activity Identify and document one of the six lawful bases for every processing activity (consent, contract, legal obligation, vital interests, public task, legitimate interests).	GH-Consent Obtain consent or rely on a lawful processing ground Processing requires consent or another lawful ground (contract, legal obligation, vital interests, public interest, legitimate interests).	KE-Consent Establish a lawful basis One of: consent, contract, legal obligation, vital interests, public task, legitimate interests.	NG-Lawful Establish a lawful basis One of: consent, contract, legal obligation, vital interests, public interest, legitimate interests.	—
Transparency & notices	GDPR-Art-12 Provide transparent information to data subjects Provide a concise, intelligible privacy notice covering identity of controller, purposes, legal basis, recipients, retention, rights, and contact for the DPO.	GH-Notice Provide notice to data subjects at collection Inform subjects of the purposes, recipients, rights, consequences of refusal, and contact for the controller.	KE-Notice Provide information to data subjects Notify subjects of rights, purposes, recipients, retention, and contacts.	NG-Notice Provide privacy information to data subjects Notify subjects of identity, purposes, recipients, retention, rights, and NDPC complaint channel.	CCPA-Notice Provide notice at or before collection Inform California consumers of categories collected, purposes, retention, and rights.
Data subject rights	GDPR-Art-15 Honor data subject rights within one month Access, rectification, erasure, restriction, portability, objection, and opt-out of automated decisions must be processed within one calendar month (extendable by two months for complexity).	GH-Rights Facilitate data subject rights of access and correction Data subjects may access their data, request correction, and object to processing.	KE-Rights Respect data subject rights Access, rectification, erasure, restriction, portability, objection to automated decision-making.	NG-Rights Honour data subject rights Access, rectification, erasure, restriction, portability, objection, opt-out of automated decisions.	CCPA-OptOut Provide a "Do Not Sell or Share My Personal Information" link Businesses must provide a clear, conspicuous Do-Not-Sell/Share link and honor Global Privacy Control signals. CCPA-Rights Honor consumer rights to know, delete, correct, and limit Within 45 days (extendable by 45): access, deletion, correction, and limit use of sensitive personal information.
Security of processing	GDPR-Art-32 Implement appropriate technical and organisational measures (TOMs) Encryption, pseudonymisation, availability/integrity, regular testing, and ability to restore availability.	GH-Security Safeguard data against loss and unauthorised access Reasonable technical and organisational measures to preserve integrity and confidentiality of personal data.	—	NG-Security Implement appropriate technical and organisational measures Protect against unauthorised access, loss, destruction, alteration, or disclosure.	CCPA-Security Implement reasonable security procedures Protect personal information from unauthorised access, destruction, use, modification, or disclosure.
Breach notification	GDPR-Art-33 Breach notification within 72 hours Personal data breaches must be notified to the supervisory authority within 72 hours of becoming aware, and affected data subjects notified if high risk.	—	KE-Breach Notify the ODPC of breaches within 72 hours Controllers must notify the ODPC within 72 hours of becoming aware; data subjects where there is real risk of harm.	NG-Breach Notify the NDPC of breaches within 72 hours Notify the NDPC within 72 hours of becoming aware; data subjects where there is real risk of harm.	—
International transfers	GDPR-Chap-V Use a valid transfer mechanism for data leaving the EEA Transfers outside the EEA require an adequacy decision, SCCs, BCRs, or a valid derogation; complete a Transfer Impact Assessment where applicable.	GH-Transfers Ensure lawful cross-border transfers Transfers to countries without an adequate regime require safeguards or consent.	KE-Transfers Ensure lawful cross-border transfers Transfers out of Kenya require adequacy, appropriate safeguards, or an applicable exemption.	NG-Transfers Ensure lawful cross-border transfers Transfers permitted on basis of adequacy, appropriate safeguards, binding instruments, or exceptions.	—
DPIA / Risk assessment	GDPR-Art-35 Perform DPIA for high-risk processing A Data Protection Impact Assessment is mandatory for processing likely to result in high risk to rights and freedoms (profiling, large-scale special category, children's data, public monitoring).	—	KE-DPIA Complete DPIA for high-risk processing DPIAs required for processing likely to result in high risk to rights and freedoms.	—	—
Processors & sub-processors	—	—	—	—	CCPA-Contracts Flow-down contractual terms to service providers and contractors Written contracts with required clauses (purpose limitation, no sale, audit rights).
Record of processing	GDPR-Art-30 Maintain Records of Processing Activities (ROPA) Controllers and processors must maintain a written register of processing activities listing purposes, categories of data and subjects, recipients, transfers, retention, and security measures.	—	—	NG-ROPA Maintain records of processing activities Controllers and processors of major importance must maintain written processing records.	—
Special categories / children	—	—	—	—	CCPA-Sensitive Provide "Limit Use" for Sensitive Personal Information Consumers may direct businesses to limit use of sensitive PI to what is necessary to perform services.
Regulator registration	—	GH-Registration Register as a data controller with the Data Protection Commission All data controllers processing personal data in Ghana must register with the DPC and renew annually.	KE-Registration Register as data controller or processor with the ODPC Controllers and processors above a prescribed threshold must register with the ODPC (renewable every 2 years).	—	—

Sourced from the same content engine that powers the assessment. Cells marked "—" mean the law in that column has no specific requirement in that category — not that anything is exempt.