I recall a Saturday nearly two decades ago where everyone who used any type of technology felt like their world may come crashing in a round. That Saturday was, of course, January 1, 2000. A Saturday so infamous it spawned a nickname…. Y2K!
We all went to bed on December 31, 1999 not knowing what might work and what not might work when we awoke into this brave new world known as Y2K. Would the power grid be down? Would ESPN still be on? Oh no, the coffee pot had a timer, would I not get coffee? And businesses had bigger concerns – will my systems still operate? Will my factories shutter? What about my cash registers? Will I be able to verify credit cards?
Largely, Y2K passed without major incident. When we woke up, the coffee pot worked, ESPN was still on. Our ID cards opened the parking lot at work on Monday, and when we got to our desk, everything lit up and we had that normal mass of Monday email. That happened because of global preparation conducted over years. Massive amounts of analysis of systems and their vulnerabilities and remediations before the fact.
This preparation made Y2K a cliché and not a catastrophe. Quickly, it was safe to remove our bio hazard suits and goggles, and go about life.
So how about GDPR compliance? We saw some major companies wake up with potentially billions of dollars in liabilities. Why? Because they did not take the new requirements seriously, didn’t understand them, or had other priorities. That’s a shame when the F and G of FANG gets in that situation.
There’s different types of companies out there – there are some who saw this coming, took it seriously, made changes in process, upgraded technologies, and for those of us who did take this very seriously, we woke up May 26, 2018 the same way we woke up January 1, 2000. The coffee pot worked – only now it was a Keurig and not a Mr. Coffee, ESPN was still on – only now on a QLED curved screen and not a projection TV the size of a walk in closet, and the sun rose.
Others tried valiantly, but got a late start. It caused them a lot of late nights and early mornings, but they got there largely intact, secure and compliant. Some of those were some of our clients – they worked feverishly to make sure they were compliant with the new regulations, because that’s what Compliance Officers do. I watched some amazing compliance professionals form and serve on GDPR readiness task forces, and get the job largely done.
Then there were the companies in denial. The ones who felt like their historical approach to data
privacy would get them past this as well. But they were wrong, GDPR compliance was different.
Historically, data privacy had been secondary to data security. The effort was spent on avoiding a
breach and insuring privacy that way. Build better firewalls (and there’s probably a joke in there about who has to pay for the firewall, but I digress…), get better intrusion detection, do better threat assessments, run harsher penetration tests… Don’t get me wrong, those are all vital security measures, and any vendor who has any data needs to do everything possible to protect it. So how is GDPR compliance different? GDPR also has a focus on the rights of individuals to know and manage what is known about them on the web. This is where many technology companies fell short. They were so busy building better walls to protect the data, that they ignored the individuals’ rights regarding that data.
So as far as your biohazard suit and goggles go, I’d keep them handy for a little while longer. Until companies comply with the spirit of GDPR and an individual’s right to throttle what is known about them on the web, you might need to slip it back on. There’s still more dust to settle on data protection.
J Rollins is the co-founder and CEO of ETHIX360. At ETHIX360, our goal is simple, to provide an affordable, flexible and comprehensive answer to employee communication and case management on issues related to corporate ethics, code of conduct, fraud, bribery, EH&S and workplace violence. To learn more about ETHIX360, please visit www.ethix360.com, or follow us on twitter @ethix360.