A couple of weeks ago, I posed a question here on LinkedIn on a Saturday morning. That question was:
Recently I’ve been involved in a lot of discussions that include GDPR. A recurring theme is a fear it’s another Y2k overhype. Thoughts?
I was amazed that in the space of 48 hours or so it had nearly 5000 views (and nearly 10000 to date), which speaks volumes for the amount of interest in GDPR at the moment. (Interestingly, I deliberately made the question that short so it could hit Twitter too, but it didn’t seem to garner so much attention there.)
Oh, and by the way, apologies for the word “overhype”: I’m not sure it’s a real word, and even if it is I don’t really like it, but it gets the point across.
“What was the Y2k overhype?”, I hear younger readers ask
Those of us who were around in the 90s will surely (fondly?) recall the massive amount of work that went into testing and retesting systems to ensure that they didn’t have the “Year 2000 bug” which would have caused them to crash because they couldn’t handle the year digits moving from “99” to “00”. This would only affect the systems which only used two figures for the year rather than four. Wild predictions of planes falling out of the sky, power grids failing etc abounded.
In the end, not a lot happened as the clocks ticked over into the new century. There were no major outages, no major systems failures, though there may have been small isolated problems which affected a number of people. All in all, the perception was that the Y2k bug had been overhyped and that there had been no need for such dire predictions.
Of course, there’s no telling what would have happened had no work been put in to testing systems, but as far as the general public (and, to a certain extent, business management) was concerned it was hype for hype’s sake, a job creation scheme. Several of the respondents to my original question worked for 18 months or more, testing systems and code to ensure that nothing bad would happen, but to the outside world it was unnecessary.
In my opinion, had so much effort not gone into testing and checking before the event, there could have been big problems: I err on the side of “it was a good precautionary measure”.
How does that affect GDPR?
Well, that was the question I was hoping to answer. There was some really good debate on the post, with some really interesting insights shared. I thought that with this article, I’d try to pull those comments and views together, to see whether the view is that GDPR is likely to be seen in the same light in years to come.
It’s fair to say that while Y2k was a one-off event, at a specific moment in time. GDPR will be with us for many years. It is very likely that it will be amended and improved over time, and will no doubt keep pace with whatever changes the EU implement as the years pass.
The second thing to say is that GDPR will be a law, not an event, so we don’t have any choice but to comply. If the law required all cars to have lights on all the time, would you wait until the day the law came into force to get your car fixed to comply, or would you do something about it before the event? The same logic applies to GDPR: get the work done before the date to ensure you are compliant from the date the law comes into effect.
Thirdly, you might want to look at the risks involved. Y2k was a potential operational risk, whereas GDPR is a strategic risk to your business. Only the people who run your company know what level of risk appetite they have, and it’ll be their decision as to whether they want to run the risk of being caught breaking the law or not.
It’s clear that compliance will require a certain amount of tweaking of operational processes and procedures, but if your business is already compliant with the existing Data Protection Act the amount of change should not be significant.
What about the big fines?
Some likened this to motorists who regularly speed in their car. For every one or two who get caught and punished, how many don’t? The expectation seems to be that some companies will be prosecuted, and some will “get away with it” - at least for a period of time.
The ICO have stated on their website that “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. If that statement is true, then perhaps some of the hype around scale and volume of fines at least is unjustified.
One thing GDPR is not…
Apparently one of the rumours / allegations doing the rounds is that GDPR will be another PPI bonanza for lots of companies trying to make a quick profit. It’s not something others can do to your business, it’s something that must be complied with from within. By all means, hire in consultants to help, but they will not have a magic bullet to make you GDPR compliant.
…and one thing that GDPR is…
The requirement for privacy by design, which therefore requires security to be designed and built in to solutions rather than bolted on at the end (as often happens, in my opinion) is really good news. One of the results of this will mean that developers will have to consider security at every step, and perhaps we’ll finally stop seeing SQL Injection and Cross Site Scripting in the OWASP Top 10, after nearly 20 years. That has to be a good thing, don’t you agree?
PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.
Want to know how secure your business is, or methods in which you can improve? We offer FREE cyber consultancy for all businesses, large or small. Please register here and a member of the team will be in touch.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.