A couple of weeks ago, I posed a question here on LinkedIn on a Saturday morning. That question was:
Recently I’ve been involved in a lot of discussions that include GDPR. A recurring theme is a fear it’s another Y2k overhype. Thoughts?
I was amazed that in the space of 48 hours or so it had nearly 5000 views (and nearly 10000 to date), which speaks volumes for the amount of interest in GDPR at the moment. (Interestingly, I deliberately made the question that short so it could hit Twitter too, but it didn’t seem to garner so much attention there.)
Oh, and by the way, apologies for the word “overhype”: I’m not sure it’s a real word, and even if it is I don’t really like it, but it gets the point across.
“What was the Y2k overhype?”, I hear younger readers ask
Those of us who were around in the 90s will surely (fondly?) recall the massive amount of work that went into testing and retesting systems to ensure that they didn’t have the “Year 2000 bug” which would have caused them to crash because they couldn’t handle the year digits moving from “99” to “00”. This would only affect the systems which only used two figures for the year rather than four. Wild predictions of planes falling out of the sky, power grids failing etc abounded.
In the end, not a lot happened as the clocks ticked over into the new century. There were no major outages, no major systems failures, though there may have been small isolated problems which affected a number of people. All in all, the perception was that the Y2k bug had been overhyped and that there had been no need for such dire predictions.
Of course, there’s no telling what would have happened had no work been put in to testing systems, but as far as the general public (and, to a certain extent, business management) was concerned it was hype for hype’s sake, a job creation scheme. Several of the respondents to my original question worked for 18 months or more, testing systems and code to ensure that nothing bad would happen, but to the outside world it was unnecessary.
In my opinion, had so much effort not gone into testing and checking before the event, there could have been big problems: I err on the side of “it was a good precautionary measure”.
How does that affect GDPR?
Well, that was the question I was hoping to answer. There was some really good debate on the post, with some really interesting insights shared. I thought that with this article, I’d try to pull those comments and views together, to see whether the view is that GDPR is likely to be seen in the same light in years to come.
It’s fair to say that while Y2k was a one-off event, at a specific moment in time. GDPR will be with us for many years. It is very likely that it will be amended and improved over time, and will no doubt keep pace with whatever changes the EU implement as the years pass.
The second thing to say is that GDPR will be a law, not an event, so we don’t have any choice but to comply. If the law required all cars to have lights on all the time, would you wait until the day the law came into force to get your car fixed to comply, or would you do something about it before the event? The same logic applies to GDPR: get the work done before the date to ensure you are compliant from the date the law comes into effect.
Thirdly, you might want to look at the risks involved. Y2k was a potential operational risk, whereas GDPR is a strategic risk to your business. Only the people who run your company know what level of risk appetite they have, and it’ll be their decision as to whether they want to run the risk of being caught breaking the law or not.
It’s clear that compliance will require a certain amount of tweaking of operational processes and procedures, but if your business is already compliant with the existing Data Protection Act the amount of change should not be significant.
What about the big fines?
Some likened this to motorists who regularly speed in their car. For every one or two who get caught and punished, how many don’t? The expectation seems to be that some companies will be prosecuted, and some will “get away with it” - at least for a period of time.
The ICO have stated on their website that “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm”. If that statement is true, then perhaps some of the hype around scale and volume of fines at least is unjustified.
One thing GDPR is not…
Apparently one of the rumours / allegations doing the rounds is that GDPR will be another PPI bonanza for lots of companies trying to make a quick profit. It’s not something others can do to your business, it’s something that must be complied with from within. By all means, hire in consultants to help, but they will not have a magic bullet to make you GDPR compliant.
…and one thing that GDPR is…
The requirement for privacy by design, which therefore requires security to be designed and built in to solutions rather than bolted on at the end (as often happens, in my opinion) is really good news. One of the results of this will mean that developers will have to consider security at every step, and perhaps we’ll finally stop seeing SQL Injection and Cross Site Scripting in the OWASP Top 10, after nearly 20 years. That has to be a good thing, don’t you agree?
PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.
Want to know how secure your business is, or methods in which you can improve? We offer FREE cyber consultancy for all businesses, large or small. Please register here and a member of the team will be in touch.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force – make sure your business meets the necessary requirements and assurance for all your customers and employees
A full audit of your business to assess the level of your compliance against GDPR requirements
Become GDPR compliant with minimal work – we’ll conduct an analysis, review, report and implementation of necessary changes to your business
We’ll carry out simple assessments of security to help you understand and mitigate the potential risks to your business
Get your business ready to face the cyber challenge
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS)
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted
Undertake our phishing capability assessment to reduce your organisation’s risk of of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analysis reports and provide an informed decision to help improve your organisation’s level of security and awareness
Prevent attacks, respond to breaches and protect your business
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
implement the cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate commitment to your clients, and attract new business by being recognised as a secure organisation
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses by evaluating your system and network security and reporting on any vulnerabilities that could lead to a business impact
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and efficiently begin the process of detecting and eliminating the threat
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and prevention of future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.