The three certainties in life: death, taxes and GDPR

Categories: Compliance Security Security, Risk, and Compliance

As the GDPR clock ticks down to implementation, it is clear that this will not be a non-event like the Millennium Bug – it will happen and there will be dire consequences, potentially company-closures, in the event of non-compliance.

The three certainties in life: death, taxes and GDPR
The three certainties in life: death, taxes and GDPR

1999 was a milestone year for the development of technology. The Blackberry phone was released as was Bluetooth technology and the Apple iBook G3. It was also the year of Y2K, more affectionately known as the Millennium Bug.

IT veterans will remember the sense of paranoia regarding the Millennium Bug. Not since then has there been a pervading atmosphere of trepidation across the industry. And guess what’s causing it? The compliance regulation ‘du jour‘ if you will, the EU General Data Protection Regulation (GDPR). With the regulation set to come into force on May 25th  2018, time is fast running out for businesses of all shapes and sizes to get their data houses in order. What’s the penalty for not doing so? A crippling fine of €20 million or four percent of global turnover – whichever is higher. 

However, there’s a stark difference between GDPR and the Millennium Bug – GDPR is going to happen. There are now three certainties in life; death, taxes and GDPR! Every organisation that processes data within the EU must be compliant by the deadline. It also extends beyond the EU. Any organisation that holds or processes data on EU residents, regardless of where it is headquartered will have to comply. 

Power to the people

However, it’s not all doom and gloom. In an age where data breaches have become a daily occurrence and with consumers feeling that marketing has become intrusive, the regulation puts data privacy squarely back in the hands of individuals.

Instead of organisations hiding behind a privacy policy at the bottom of every form, they now have to give their user base the right to be forgotten. Meaning that if a person asks the organisation to delete their information, it has to legally abide. Organisations need to ensure that they can not only locate all relevant personal data about the individual, but also have the ability to extract or delete that data upon request and in a timely manner.

As organisations consolidate more and more data sets from legacy relational databases and data warehouses into big data environments, they benefit from having a central hub where data security and governance policies can be managed and enforced consistently. When data is stored on a central platform, organisations have the best view of where personal data resides and a place to secure and govern for GDPR compliance across the organisation.
To many, compliance leads to the avoidance of risk – avoiding big fines and damaged reputation. Beyond that, there is also the opportunity to build an increased reputation and level of trust with users – both those inside and outside the EU – many of whom value companies that in turn value their privacy.
Know your data

GDPR will create a standardised framework whereas in the past different countries had varying laws and regulations with different interpretations. It will create a level playing field where everyone understands what the rules are concerning the data privacy of EU individuals. With everyone singing from the same hymn sheet, it creates additional protections that didn’t exist before.

GDPR compliance is an enterprise-wide business problem requiring a massive cross-departmental effort that touches upon oversight, technology, processes, and people. It will be no easy feat. There’s no magic ‘GDPR mode’ switch that can be flicked on existing systems. Fundamentally, it comes down to understanding the data landscape and being able to pinpoint and operate on data with surgical precision. When the world waited with bated breath for the clocks to tick over to 2000, very few computer failures were reported. It was as anticlimactic as the release of Star Wars: The Phantom Menace (also released in 1999).

Unfortunately, in a post-GDPR world no organisation will be getting off that lightly. Inadequate preparation for the incoming legislation could spell failure for an organisation. A few words of advice: know your data. Understand where it is. Understand how it’s being used and do so as soon as possible to give business users ample time to remediate gaps. The GDPR clock is ticking.


Originally published in SC Magazine, November 21st, 2017


Leave a Reply