Remember Y2K? If you’ve been in the IT industry for 20 years or so, you certainly will: all the hype that was generated in the 1990s about the impending “time bomb” of the Year 2000. What would happen to IT systems around the world when the year clicked over from 1999 to 2000? Had they been programmed to handle four-digit years or only the last two digits? As it turned out, there was no major disaster on New Year’s Day 2000 and many people claimed that the Y2K “bug” was over-hyped – a ploy by the IT industry to drive demand. But was it? What I saw in the years leading up to the year 2000 were organisations acting responsibly to test their software (or mandate that their suppliers did) so that the problem – which in many IT systems was all-too-real – was mitigated well before the big day.
So now we have GDPR, the EU General Data Protection Regulation, which comes into effect on the 25th May 2018 – just 13 months away. And once again, there’s a lot of hype about how all-encompassing the regulation is and how draconian the fines could be. But if you take a look at GDPR, you’ll find that it’s not hype: the regulation is very comprehensive and those fines – up to €20m or 4% of global annual revenues – are pretty draconian! What amazes me is that, unlike Y2K, I don’t see organisations mobilising in the same way to ensure they have mitigated the risk. In fact, research conducted by Veritas shows that 54% of organisations haven’t even started preparing for GDPR yet. And Gartner predicts that things won’t be much better even once the regulation has come into effect: 50% of companies that are affected by GDPR will not be in full compliance by the end of 2018.
What’s causing this lack of action? I think it’s down to two things. Firstly, while the arrival of 1st Jan 2000 was assured, how the EU regulators will enforce the new regulations is much less certain. While the penalties may be severe on paper, the risk in practice is unknown. And secondly, organisations are struggling to interpret the regulation and determine what concrete actions they need to take in order to be compliant.
Based on Veritas’ analysis of the GDPR requirements, there are five main points to bear in mind:
Those are the main tenets of the regulation – but just what should organisations be doing to become compliant? Veritas has identified five capabilities that you should ensure are in place:
If all organisations that are impacted by GDPR were to assure that they have these 5 basic capabilities implemented in their IT environments, we could be confident that 25th May 2018 would have as little impact on them as Y2K turned out to have all those years ago.
What are your thoughts on GDPR? Are you prepared?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.