What is the Similarity Between the Millennium Bug and EU GDPR?
In the years leading up to New Year’s Eve year 2000, hundreds of thousands of IT people across the globe earned a fortune helping businesses to prepare for the Millennium Bug.
The dawn of the new millennium brought fears that years of technical debt would cause massive computer glitches due to incorrect date formats. Realizing the scale and potential consequences of this spurred tremendous investment in testing, remediating and renewing the computer systems our businesses were relying on and we had come to trust.
It turned out that the catastrophe of the millennium did not occur. The world continued without major casualties. How many machines would actually have stopped working when the deadline expired, had they not been fixed? I guess we will never know. I like to believe IT Armageddon was prevented by the important work of many great IT people. Together, the IT community prevented planes from falling down, production lines from shutting down and ensured that millions of people could still get their salaries when the new year started.
However, looking back, many companies started too late preparing for the Millennium Bug, executing on what they needed to do. The consequences included significant bottlenecks of resources, consultants that were completely sold out, and many companies forced to use less skilled consultants for highly sensitive jobs. This resulted in corporations incurring unnecessary risks and unnecessary costs.
A deadline with an impact for all organizations
A deadline similar to the “Millennium Bug” deadline is just in front of us. All companies within EU member states or companies running business with EU organizations are working against the deadline May 25th 2018 where the EUGDPR will become law.
Many companies have already formed a EUGDPR project and are moving full speed ahead. Even more companies though are struggling to get their heads around what lies ahead of them.
Like with the Millennium Bug, the EUGDPR data protection rules will essentially impact every organization. The clock is ticking. We are starting to see a pattern similar to that of the Millennium Bug repeats itself, with many organizations starting too late, underestimating the amount of work that lies ahead of them.
The EU GDPR introduces a broad definition of personal data
EUGDPR means that personal data must be protected and handled in a new way. It introduces, for instance, that access to privacy data is aligned with EUGDPR requirements and strict access governance processes are in place.
But does every organization control and process personal data? The definition of personal data is broad, and includes any information relating to an individual, including anything that contributes to identifying an individual, or links to such identifying information. With this definition, it is fair to say that every company holds or processes personal data across multiple systems and data stores, either on premises, in the cloud, or both. So essentially, every company is affected and must prepare, just as every company had to consider and prepare for the Millennium Bug challenges.
How to get compliant in time
Your organization need to get started and implement the important changes to people, processes, and technologies in order to get GDPR compliant in time.
We recommend that you execute on a “Get in Control” phase, which includes eight steps to get ahead of the curve. These important eight steps enable you to take a great leap forward and demonstrate that you have started the journey towards becoming EU GDPR Compliant. For details on the eight steps please download our e-book ►
The consequences of non-compliance are clear
Unlike the Millennium Bug situation, where we weren’t sure of the consequences, we are explicitly aware of the consequence of not being ready for the EU GDPR in time.
We do know that EUGDPR introduces increased compliance requirements, backed by heavy financial penalties. In case of non-compliance, organizations will be potentially subject to fines of up to:
€10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches or non-compliance
€20 million or 4% of total worldwide annual turnover for groups of companies (whichever is greater) for very serious breaches or non-compliance.
The 20 million € is not a cap, it’s actually designed to ensure that smaller companies can be fined up to 20 million €, even though 4% of their revenues would be a smaller amount. In other words, failure to address data protection compliance obligations could prove very costly for businesses.
It is a legal requirement to comply, and it will most likely not be possible to purchase insurance against such fines/losses, as it is generally not allowed to obtain insurance against breaking the law.
New paradigm after May 2018
To conclude, we have two similarities between the Millennium Bug and EUGDPR:
Everyone needs to act
The consequence of not acting timely can be disastrous
And then there is one major difference: With the Millennium, it was back to normal for businesses on January 1st 2000.
With EUGDPR coming into force, companies will operate under a completely new paradigm for running their businesses.
Businesses who understand the new playing field will thrive, businesses who don’t understand it will fail miserably.
Want to know more? This e-book provides a guideline to how your organization can address the challenges posed by the GDPR, and get ahead of the curve. Download e-book ►