On this week of Serious Privacy, Paul Breitbarth and K Royal discuss the European Union’s General Data Protection Regulation because three years ago, from the day this episode was released (May 25, 2021), the GDPR went into effect.

And whether you consider it three years or five (per this Twitter debate), it was a world-changing event.

In this episode, they talk about the changes in the past three years, including the two years before the GDPR was passed. They discuss penalties and amounts known, but also the most frequent violations.

Companies can learn a lot by looking at enforcement to know where to prioritize their compliance activities – or at least what to check to ensure it is properly in place.

They discuss the locatemyfamily.com that has been in the news lately, including for not appointing a European representative and the challenges the data protection authorities faced in investigating the complaints across the ocean.

In addition, they discussed how the GDPR impacted US legislation, such as the concept of controllers and processors and the definition of sensitive personal data.

The GDPR influenced the California Consumer Privacy Act (CCPA), or more so the California Consumer Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA) – the latter two take effect in 2023.

There is a discussion of the importance of EU representatives – and there is a passing mention of the upcoming standard contractual clauses.

This week’s episode can be streamed below.

There is no “ish” in Privacy: GDPR 3-5 Years Later