GDPR reminds me a lot of Y2K. Eighteen years ago I was an IT project manager for one of the largest consumer goods manufacturers in the world: Procter & Gamble. I had been working for them for almost 5 years and one third of the time I was there, I spent it on a critical, expensive, dreadful, but at the same time very exciting initiative: Y2K.
As a young professional that was starting her career, I could not relate very well to the repercussions of this technological bug. I was told to do a job and I was happily doing it to the best of my abilities.
However, senior leadership had learned of the implications of this “small” design flaw. I am sure initially they were skeptic about it, they thought that the hype was bigger than what the issues would be. But thanks to some visionary and smart leaders such as our CIO for the Latin America region at the time, Filippo Passerini, P&G was ready to deal with this challenge when it arrived.
One big lesson I learned from Filippo during a town hall meeting he hosted, was that risk is not only measured in terms of probability, but also in terms of impact. Yes, there was a relatively small chance that something bad may happen on January 1, 2000 but if it turned out that it did happen, the impacts on every situation could be catastrophic. As a business, we could simply not afford to take that chance.
GDPR is coming
Now, eighteen years later, I see something happening that reminds me so much of that time. The General Data Protection Regulation or GDPR comes into effect on May 25, 2018. Just like Y2K, there is a clear and unmovable deadline and things are going to be quite different after this date.
What I find different is that I do not see the same sense of urgency. According to Gartner, they predict that almost 50% of organizations will not be fully GDPR compliant by the end of 2018, which is about 7 months past the established deadline!
I compare the attitude towards GDPR against the attitude towards Y2K and I see a big contrast. In my opinion, the reasons behind this lack of concern are:
1) Organizations do not understand whether they will be affected by this new regulation or not – whereas with Y2K pretty much anyone with an IT system was;
2) They don’t realize the consequences that they will face if they do not comply; and
3) They have fallen victim to the “low probability fallacy” where they think that “there’s just a small chance this will happen to us”.
Let me clarify a few things here. Even if an organization does not have a physical presence in the EU, if they do business with EU residents (something that is very common in the online world), they will have to comply with GDPR requirements, regardless of their location in the world.
This is not a matter of having a data breach incident and getting into trouble with some low profile government officials. Compliance, not only in terms of practices but also in terms of ensuring that all record keeping and documentation is available when it comes to personal data practices, will be reviewed and requested by Supervisory Authorities, in some cases, even without any known issue.
Yes, possibly the probability of a breach incident is low – and in this day and age of news of cyberattacks almost daily, I doubt it – but if it happens or if there is a data subject complaint and the EU Supervisory Authorities find an organization out of compliance, the reputational impacts as well as the financial and legal impacts may prove too much to bear.
Where do we start?
I can understand when organizations are moving slowly because they just simply do not know where to begin. I suggest the first step to take is to ensure that their operations are within scope of GDPR. If they are, well, do not panic. A risk-based and prioritized approach can help:
- Start shaping up a data protection governance structure. The first step will be, determine whether or not you need a Data Protection Officer. If you don’t, just document your reasoning for future reference. Also, identify who will be your Lead Supervisory Authority (LSA) so that you can establish a point of contact that is always the same (as opposed to 28 different ones for each EU member state). Ensure you have senior management full support, since they must understand that they have clear responsibility under GDPR.
- Ensure your business practices support data subject rights and if they don’t, identify where the gaps are. Notice, consent, responding to subject access requests (or SARs), stopping personal data processing, deleting all personal data are a few of the rights that will be enforced by GDPR.
- Have an incident response plan since GDPR expects to be notified within 72 hours of knowledge of a data breach incident.
Once these foundational pillars are in place, businesses can focus on developing a data protection culture where data protection by design and default are incorporated in all products and services, third-party contracts have clear clauses around GDPR compliance and responsibilities and a program of continuous improvement is adopted.
GDPR is not Y2K but it is certainly important enough for organizations to take notice and get working. Don’t forget, the clock is ticking.
Learn more about our GDPR consulting services here.