Once upon a time, in a galaxy far, far away…

…data privacy laws were simple. They set the requirements for protecting personal data and provided guidance on how companies could share data. While the US had few laws, the Europeans began building a book of legislation, and, in 1995, the European Data Protection Directive set the new standard. In the US, the approach was quite different. Instead of a single law guarding data privacy, a series of laws emerged in the US for specific situations, giving rise to some of our favorite acronyms in data—HIPAA (Health Insurance Portability and Accountability Act), FCRA (Fair Credit Reporting Act), GLBA (Gramm-Leach-Bliley Act), and others. While the federal legislators and a growing number of state bodies continued to craft unique requirements focused on target industries, the EU continued to develop its approach, which focused on defining personal data, how to get permission to use that data, and what could be done with it after permission was granted. It also set rules for how individuals could revoke consent. In 2018, the updated EU General Data Protection Regulation (GDPR) went into effect, adding more guidelines and rules for protecting personal data and limiting its use.

In the last four years, GDPR has been amended multiple times, and its enforcement has evolved to be some of the strictest in the world. Last year saw some of the largest fines ever leveled against companies for non-compliance. TikTok was fined because it failed to provide terms and conditions in Dutch in the Netherlands. Amazon was fined $887 million, more significant than all the previous GDPR fines combined. WhatsApp and Google were hit with similar hefty penalties. Now, small and medium-sized businesses with fewer than 250 employees are also being targeted for mishandling data and/or violating GDPR rules.