The Three-Regulation Problem
A UK-based global marketplace processing seller verification documents from 80 countries faces three simultaneous regulatory frameworks: GDPR for EU-based sellers, LGPD (Lei Geral de Proteção de Dados) for Brazilian sellers, and India's Digital Personal Data Protection Act (DPDP) for Indian sellers. Each framework designates different national identifiers as protected personal data requiring specific handling.
Brazilian CPF (Cadastro de Pessoas Fisicas): The 11-digit individual taxpayer identification number with format XXX.XXX.XXX-XX. The last two digits are check digits derived from a specific modular arithmetic algorithm. Brazilian LGPD treats CPF as a unique identifier for natural persons — equivalent to SSN in terms of sensitivity. A tool that does not know the CPF format and checksum algorithm cannot detect it.
Indian Aadhaar: The 12-digit biometric identity number issued by the Unique Identification Authority of India. Unlike CPF and SSN, Aadhaar numbers are randomly assigned with a Verhoeff algorithm check digit. India's DPDP Act imposes obligations on organizations processing Aadhaar-linked data. Detection requires format recognition (12 consecutive digits with Verhoeff check) and context-aware suppression (not every 12-digit number is an Aadhaar).
US SSN: The 9-digit Social Security Number with documented area number constraints (first 3 digits), group number structure (middle 2 digits), and serial number range (last 4 digits). Validation algorithms are established and well-documented.
These three identifiers have different formats, different validation algorithms, and different regulatory contexts. A compliance system processing documents from Brazil, India, and the US simultaneously cannot rely on any single tool built for one country's format.
The Multi-Regulatory Gap in Practice
The gap between SSN detection and global coverage is larger than most compliance teams realize. Organizations that verify "our PII tool is working" by testing it against US data never discover that it fails on non-US formats until a regulatory event surfaces the failure.
GDPR Article 28 requires a written Data Processing Agreement with every data processor. The DPIA for the anonymization tool must address whether the tool covers all identifier formats present in the data being processed. A DPIA that lists "SSN detection" as the primary PII control for a dataset containing Brazilian sellers with CPF numbers contains a documented compliance gap — one that can be identified in a regulatory audit.
The combination of GDPR's 4% global annual revenue maximum fine, LGPD's equivalent provisions, and DPDP's emerging enforcement creates compounding regulatory risk for global organizations that rely on single-country PII detection tools.
Sources: