Loading...
GDPR, CCPA, SOC 2, PCI-DSS & HIPAA for Pakistani IT companies
| Jurisdiction | Data Localization | Transfer Mechanism | IT Impact | Reference |
|---|---|---|---|---|
| Pakistan | Limited (PECA) | SBP approval for financial data | Moderate | |
| EU (GDPR) | Stricter | Adequacy decisions, SCCs | High for EU clients | |
| USA | No federal requirement | Contractual safeguards | Low | |
| UAE | No strict localization | DIFC Data Protection | Low | |
| China | Strict | Cross-border assessment | High | |
| India | Banking data only | RBI approval required | Moderate |
| Step | Requirement | Authority | Timeline | Reference |
|---|---|---|---|---|
| 1 | Register with TDAP | Trade Development Authority | 1-2 weeks | |
| 2 | Obtain GSP+ Certificate of Origin | Chamber of Commerce | Per shipment | |
| 3 | Comply with 27 conventions | Multiple bodies | Ongoing | |
| 4 | Report IT exports via PBS | Pakistan Bureau of Statistics | Monthly | |
| 5 | Maintain PSEB Certification | PSEB | Annual | |
| 6 | Register with SBP for remittances | State Bank of Pakistan | 1 week |
| Requirement | What You Need to Do | Jurisdiction |
|---|---|---|
| Lawful Basis | Contract, consent, or legitimate interest for all processing | EU (extraterritorial) |
| Data Processing Agreement | DPA with every EU client | EU |
| Sub-processor Disclosure | List and get approval for all sub-processors | EU |
| Data Subject Rights | Implement access, deletion, portability mechanisms | EU |
| Breach Notification | Notify supervisory authority within 72 hours of discovery | EU |
| Privacy by Design | Build privacy into systems from the start | EU |
| Data Transfer Mechanisms | Standard Contractual Clauses (SCCs), adequacy decisions, or BCRs | EU |
| DPO | Appoint Data Protection Officer for large-scale processing | EU |
| Records of Processing | Article 30 — maintain processing records | EU |
| Privacy Impact Assessment | Article 35 — DPIA for high-risk processing | EU |
Penalties: Up to €20 million or 4% of global annual turnover (whichever is higher)
| Type | Assessment | Timeline | Estimated Cost |
|---|---|---|---|
| Type I | Point-in-time design assessment | 2–4 months | USD 10K–25K (estimated range — verify with provider) |
| Type II | Operational effectiveness (6–12 month observation) | 12–18 months total | USD 15K–50K (estimated range — verify with provider) |
| Level | Transactions/Year | Assessment |
|---|---|---|
| Level 1 | >6 million | On-site QSA assessment + annual AOC |
| Level 2 | 1–6 million | Self-Assessment Questionnaire (SAQ-D) |
| Level 3 | 20K–1 million | SAQ-C or SAQ-C-VT |
| Level 4 | <20,000 | SAQ-B-IP or SAQ-A |
| Tax | Rate | Jurisdiction | Reference |
|---|---|---|---|
| Corporate Tax (PSEB IT export) | 0.25% | Federal/ICT | ITO §154A |
| Corporate Tax (domestic) | 20% | Federal/ICT | ITO 2001 |
| WHT Export (PSEB) | 0.25% | Federal/ICT | ITO §154A |
| WHT Export (non-PSEB) | 1% | Federal/ICT | ITO §154A |
| 50% FCY Retention | Retain export proceeds in foreign currency | Federal/ICT | SBP FECL 05/2026 — Foreign Exchange |
| 100% Foreign Ownership | IT sector allows 100% foreign equity | Federal/ICT | BOI Investment Policy 2023 |
| Startup Tax Credit | 100% for 3 years | Federal/ICT | ITO §65F(b) |
| SEZ Tax Holiday | 10-year 0% | Federal/ICT | SEZ Act 2012 / BOI |
| Tax | Rate | Jurisdiction | Conditions | Reference |
|---|---|---|---|---|
| Corporate Tax (PSEB IT export) | 0.25% | Federal/ICT | PSEB + 80% export revenue | ITO §154A |
| Corporate Tax (domestic IT) | 20% | Federal/ICT | Standard corporate rate | ITO §154 |
| WHT Export Remittance (PSEB) | 0.25% | Federal/ICT | PSEB-registered | ITO §154A |
| WHT Export Remittance (non-PSEB) | 1% | Federal/ICT | No PSEB registration | ITO §154A |
| WHT Domestic Services | 3-8% | Federal/ICT | Standard service withholding | ITO §153 |
| Startup Tax Credit | 100% for 3 years | Federal/ICT | PSEB mandatory, <PKR 100M | ITO §65F(b) |
| SEZ Tax Holiday | 10-year income tax 0% | Federal/ICT | SEZ-registered companies | SEZ Act 2012 / BOI |
| SST Sindh — IT concessional | 3% | Sindh | Software dev, CPC 83100 | SRO 981(I)/2015 |
| SST Sindh — IT export (PSEB) | 0% | Sindh | PSEB + 80% export | SRO 981(I)/2015 (exemption for PSEB-registered IT exporters) |
| SST Sindh — Standard | 15% | Sindh | Default rate | Sindh Sales Tax on Services Act 2011 §4 |
| SST Punjab — IT-Enabled Services | 0% (Zero-Rated) | Punjab | Hosting, maintenance, data processing | Punjab Sales Tax on Services Act 2012, PRA Notification (0% (Zero-Rated) for domestic IT) |
| SST Punjab — Software Dev | 0% (zero-rated) | Punjab | Pure software development | Punjab Sales Tax on Services Act 2012, Notification per PRA directive |
| SST Punjab — IT export (PSEB) | 0% | Punjab | PSEB + 80% export | SRO 981(I)/2015 (extended to Punjab) |
| SST Punjab — Standard | 16% | Punjab | Default rate | Punjab Sales Tax on Services Act 2012 §4 |
| SST KP — IT concessional | 2-5% | KP | PSEB-registered IT | KP Finance Act (annual), Notification per KPRA |
| SST KP — IT export (PSEB) | 0% | KP | PSEB + 80% export | SRO 981(I)/2015 (extended to KP) |
| SST KP — Standard | 15% | KP | Default rate | KP Finance Act (annual) |
| SST Balochistan — IT export | 0% | Balochistan | PSEB + export | SRO 981(I)/2015 (extended to Balochistan), per BRA notification |
| SST Balochistan — Standard | 15% | Balochistan | Default rate | Balochistan Sales Tax on Services Act 2015 |
| SST Telecom (all provinces) | 19.5% | All provinces | Mobile, internet, fixed-line | Provincial Acts |
| EOBI | 5% employer + 1% employee | Federal/ICT | 5+ employees, PKR 37,000/mo ceiling (EOBI Act & Rules) | EOBI Act 1976 |
| SESSI (Sindh) | 6% employer + 1% employee | Sindh | 5+ employees | SESSI Act |
| PESSI (Punjab) | 6% employer + 1% employee | Punjab | 5+ employees | PESSI Ord. 1965 |
| Workers Welfare Fund | 2% of income > PKR 500K | Federal/ICT | 5+ employees, annual | WWF Ord. 1969 |
| 50% FCY Retention | Retain export proceeds in FCY | Federal/ICT | All IT exporters | SBP FECL 05/2026 — Foreign Exchange |
| 100% Foreign Ownership | IT sector allows 100% foreign equity | Federal/ICT | All IT companies | BOI Investment Policy 2023 |
| Duty-Free IT Equipment | 0% customs duty | Federal/ICT | PSEB-registered | PSEB / SRO 488(I)/2013 |
| Body | Role | Website |
|---|---|---|
| FBR / IRIS | Income tax filing, WHT, ATL status | iris.fbr.gov.pk |
| SECP / LEAP | Company registration, annual returns | leap.secp.gov.pk |
| PSEB | IT registration, 0.25% WHT, duty exemptions | pseb.org.pk |
| SBP | FCY retention, EFS, Cyber Shield (Mar 2026) | sbp.org.pk |
| PTA | Telecom licensing, 5G, DIRBS | pta.gov.pk |
| SECP | Corporate governance, company law | secp.gov.pk |
| NADRA | Digital identity (PakID: 15.4M downloads) | nadra.gov.pk |
| WeBOC | Electronic customs declarations | weboc.gov.pk |
| Roshan Digital Account | Overseas Pakistani investment | roshandigitalaccount.com |
| Raast | Instant payment system | raast.pk |
| STZA | Special Technology Zones | STZA — Act & Rules |
| BOI | Investment policy, 100% foreign ownership | invest.gov.pk |
| PPRA | Government procurement (EPADS V2.0) | PPRA — Rules & Regulations |
| FIA Cybercrime | PECA enforcement, Helpline 1991 | cybercrime.gov.pk |
| EOBI | Federal pension: 5%+1% | eobi.gov.pk |
| SRB | 0% | srb.gos.pk |
| PRA | Punjab SST: 0% (Zero-Rated) IT / 0% PSEB export | PRA — PSTS Act 2012 |
| KPRA | KP SST: 2-5% IT / 0% PSEB export | KPRA — Acts & Notifications |
| BRA | Balochistan SST: 0% PSEB IT export | bra.gob.pk |