When GDPR became enforceable in mid-2018, it heralded a new phase in data privacy. Since then we’ve seen a wave of new legislation either modeled off or evolving Europe’s landmark law, including California’s CCPA , Brazil’s LGPD, and in August 2021, China’s PIPL. In addition, a trio of new laws in California, Colorado, and Virginia will come into force in 2023, and there are nine active bills in US states as of September 2021 (IAPP).

Yet until recently, data privacy often remained “stuck in legal” for many organizations. Leadership bought into the basics of compliance, but was satisfied to do no more than the competitors, or others in the marketplace. Once the box was checked on compliance the leadership team likely moved onto other seemingly weightier issues.