13 Nov 2025
India
High impact
India notifies the DPDP Rules, 2025: phased implementation begins
The Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 in the Official Gazette on 13-14 November 2025, alongside notifying the substantive provisions of the DPDP Act, 2023 itself. The Data Protection Board of India was established with four members and is operational immediately.
Implementation is phased: provisions establishing the Data Protection Board took effect immediately. Consent-manager provisions take effect 13 November 2026. All other substantive compliance obligations: including consent notices, breach reporting, data principal rights workflows, cross-border transfer mechanisms, and compliance for "Significant Data Fiduciaries": take effect 13 May 2027.
What this means for your screening programme
Programmes processing Indian candidate data have a defined runway: about 18 months: to operationalise consent capture, data principal rights handling (access, correction, erasure, grievance), retention rules, and breach response. Vendors should already be aligning their DPAs to the DPDP-Rules framework. The Rules also formalise breach notification expectations to the Data Protection Board, so your incident response playbook needs an India-specific path.
2 Aug 2026 (deadline)
EU / UK
High impact
EU AI Act high-risk system obligations become enforceable
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024. Application is staged: prohibited AI practices and AI literacy obligations have applied since 2 February 2025; most provisions for "high-risk" AI systems become enforceable on 2 August 2026.
Under Annex III of the Act, AI systems used for recruitment, selection, decisions affecting work-related contractual relationships, performance evaluation, or task allocation are classified as high-risk. This includes CV screening tools, automated candidate ranking, and certain BGV automation. High-risk systems require risk-management systems, data-governance, technical documentation, transparency, human oversight, accuracy and robustness, and registration in the EU database.
The Commission has separately consulted on an "AI Act Digital Omnibus" package that could defer some application dates by up to 16 months conditional on availability of harmonised standards: but this remains a proposal and the underlying deadlines stand until amended.
What this means for your screening programme
If a BGV vendor uses AI/ML for any decision-influencing function: automated candidate scoring, risk-classification, automated red-flag detection that surfaces directly to clients without human review: you should ask explicitly whether they fall under Annex III and what their compliance posture is. This is a TPRM line item now, not a future concern. Our position: human QA review of every report is intentionally non-automated: see compliance brief FAQ #9.
15 Aug 2025 (effective)
Brazil
Medium impact
End of grace period for Brazilian Standard Contractual Clauses
The ANPD (Brazilian Data Protection Authority) approved Standard Contractual Clauses for international transfers of personal data through Resolution CD/ANPD No. 19, of 23 August 2024, with a one-year grace period. The grace period ended in August 2025: international transfers from Brazil now require either a recognised mechanism (SCCs, BCRs, adequacy, specific consent) or fall under one of the exceptions in LGPD Article 33.
What this means for your screening programme
BGV vendors transferring Brazilian candidate data outside Brazil: for processing, hosting, or sub-processor use: need ANPD-approved SCCs in place. If your DPA was signed before August 2024 without an SCC mechanism, request a refreshed addendum. We use the ANPD-approved SCCs by default for all Brazil candidate data transfers.
2025: ongoing
Brazil
Medium impact
ANPD enforcement intensifies: total fines reach R$98M (US$20M)
The Brazilian DPA has transitioned from a "moderately active" to a "very active" enforcer, with cumulative LGPD fines reported at approximately R$98 million between 2023 and 2025 across multiple sectors including healthcare, finance, and AI-driven tech. The ANPD's 2025-2026 Regulatory Agenda prioritises data subject rights, DPIAs, biometric data, AI processing, and high-risk processing.
Maximum penalty under LGPD Article 52 remains 2% of the Brazilian economic group's net turnover, capped at R$50 million per violation.
What this means for your screening programme
ANPD enforcement risk in Brazil is no longer notional. Vendor due diligence should include current ANPD investigation history (publicly searchable). For programmes that include biometric verification or AI-assisted screening on Brazilian candidates, expect more granular questions from your TPRM team: and ensure your vendor can produce a DPIA on request.
2 Feb 2025 (effective)
EU / UK
Medium impact
EU AI Act: prohibited practices and AI literacy obligations live
The first wave of EU AI Act provisions became enforceable on 2 February 2025: outright prohibitions on certain AI practices (manipulative systems, exploitation of vulnerabilities, social scoring, certain biometric categorisation), and the obligation on providers and deployers to ensure adequate AI literacy among staff dealing with the AI systems they operate.
What this means for your screening programme
AI literacy obligations apply to vendors operating in the EU: staff handling AI-assisted screening tools must be trained. None of the prohibited AI practices applies to standard BGV, but if your vendor's product roadmap includes social-scoring-style aggregations or biometric categorisation beyond identity matching, that's a pre-procurement question worth asking.
3 Jan 2025 (consultation)
India
Medium impact
Draft DPDP Rules issued for public consultation
MeitY released the draft Digital Personal Data Protection Rules, 2025 for public consultation on 3 January 2025, with a comment window through 18 February 2025. Substantive content (notice, consent, breach reporting, data principal rights, transfer mechanisms, Significant Data Fiduciary obligations) was carried into the final Rules notified in November 2025 with limited material change. Documented here for archival completeness: see the November 2025 entry above for the operative text.
1 Aug 2024 (in force)
EU / UK
Medium impact
EU AI Act enters into force: clock starts on staged application
Regulation (EU) 2024/1689 entered into force on 1 August 2024, twenty days after publication in the Official Journal. The full provisions of the Act apply from 2 August 2026, with prohibitions and AI literacy applying earlier (Feb 2025), governance and general-purpose AI rules from August 2025, and certain provisions for products covered by EU sectoral law from August 2027.
What this means for your screening programme
The starting gun for EU AI Act compliance has fired. Procurement and TPRM should add "AI Act readiness" to vendor scorecards now, even though enforcement of the high-risk obligations is some way out. Vendors that say "we'll address AI Act when it applies" are signalling that they will be late.
23 Aug 2024 (resolution)
Brazil
Medium impact
ANPD approves Standard Contractual Clauses for international transfers
ANPD Resolution CD/ANPD No. 19, of 23 August 2024 introduced Brazilian SCCs as an authorised mechanism for international transfers of personal data under LGPD Article 33. The Resolution included a 12-month grace period for organisations to align existing contracts. The grace period ended August 2025 (see entry above).
2024: ongoing
India
Low impact
NAD coverage expanding: more universities issuing degrees digitally
The National Academic Depository operated by NSDL Database Management Limited continues to expand institutional coverage. Where universities have onboarded NAD, education verification turnaround drops from 5-10 days (registrar email) to near-instant (digital lookup) for participating institutions and digitised cohorts.
What this means for your screening programme
For Indian education verification, NAD coverage for the candidate's specific institution and graduation year is the single most important determinant of TAT. Vendors should be querying NAD first by default for Indian degrees and only falling back to registrar verification when NAD is silent.
Continuous
Global
Medium impact
OFAC and EU consolidated sanctions list updates accelerate
OFAC SDN list, EU consolidated financial sanctions list, and UK OFSI sanctions list have all seen elevated update frequency through 2024 and 2025 driven by ongoing geopolitical events. Sanctions screening as part of BGV for finance, executive, and regulated-industry hires must therefore be performed against current lists at the point of decision, not against a cached snapshot.
What this means for your screening programme
If your sanctions screening process re-checks candidates only at hiring, you have a stale-data risk for candidates in long pipelines. Vendors should refresh sanctions screening at the point of report finalisation: not at intake. Ours does.