The General Data Protection Regulation (GDPR) parallels the Y2K (or Millennium) bug in that both scenarios involve (or involved) a deadline that brings with it severe penalties on a global scale. But are we seeing the same level of activity in the lead up to the 25 May deadline for GDPR as we saw in the lead up to 1 January 2000? What other parallels exist between the two?
GDPR is not just a tech issue
There is certainly a high degree of misconception surrounding the GDPR, which we also saw with the Y2K bug.
“I think the main comparison between the Y2K bug and GDPR is the degree of misinformation being presented by some unscrupulous parties, seeking to benefit from creating an atmosphere of fear,” says Stephen Buchan, an Intuitus consultant with significant experience in ensuring that organisations become GDPR compliant.
The Y2K bug was seen fundamentally as a technology issue. A problem in the coding of computerised systems was projected to create havoc in computers and computer networks around the world at the beginning of the year 2000. However, organisations were able to address the issue with technology upgrades and programming corrections that they had years of lead time to implement. In the end, very few major failures occurred in the transition from 31 December 1999 to 1 January 2000.
The GDPR, on the other hand, is a legislative issue that isn’t clearly understood. The GDPR legislation is relatively new, having been adopted by both the European Parliament and the European Council in April 2016. The two-year preparation period was intended to give businesses and public bodies covered by the regulation time to prepare for the changes. However, the intervening months have seen widespread confusion amongst many businesses as they attempt to decipher what needs to be done.
Fundamental to GDPR compliance is how organisations protect and manage the data that they hold. Rather than panic or, worse still, ignore the issue, the GDPR is an opportunity for organisations to evaluate and improve the handling, security and control of the data that they are entrusted with.
Evolution not revolution
While the Y2K bug had a hard deadline, complying with the GDPR will be more of an evolutionary process going forward. Organisations will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
Gartner estimates that by the end of 2018 more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
“When the GDPR legislation comes into force on 25 May it doesn’t mark a sudden introduction of a new regime with regard to how organisations ought to handle personal data,” says Stephen Buchan. “Certainly the new rules will place heavier demands on some businesses, and the sanctions for non-compliance are more serious, but the Data Protection Act currently in force, and other legislation such as The Privacy and Electronic Communications Regulations (PECR), have been in place for a long time, and organisations are legally required to comply with these rules now.”
GDPR readiness for portfolio companies
The regulatory and compliance framework is having an increasing impact on the technology and IT landscape, as evidenced by the GDPR. With a deep, sector-relevant expertise in technology and IT due diligence and cyber security, Intuitus is uniquely positioned to advise on the impact of GDPR.
We now offer a GDPR readiness assessment within the scope of all due diligence engagements. Compliance is an ongoing exercise and the degree of compliance is something that should be checked during any assessment of an organisation. The GDPR readiness assessment focuses on three key areas:
- Based on the types of data being processed, how significant is the introduction of the GDPR for the company?
- What approach has been taken to ensure compliance with the GDPR?
- Are there obvious gaps in the current approach being taken to achieve GDPR compliance?
To find out more about GDPR readiness assessments speak to one of the Intuitus team today.