Ok – so the GDPR is technically older than 5 years – it was adopted in 2016 but, you’ll remember, not enforced until 2018, hence getting in early on the 5-year claim.
If, like me, you were working in cyber security between 2016 and 2018, you might get a bit twitchy when people mention the letters GDPR. It was a feeding frenzy for some in the industry as vendors and service providers tried to pivot and rebrand themselves as somehow able to “solve” the GDPR challenges. I recall more than one pitch explaining how all my compliance issues would be over immediately after receiving a purchase order.
As a quick recap, the GDPR is an EU Regulation (i.e. you have to implement it) which is designed to protect how an individual’s data is stored, processed and shared – including why it’s done in the first place and giving people the right to see what is held about them and get it deleted. Powerful stuff designed to curb the unrestrained feeding frenzy of data ingestion and resale for marketing purposes inflicted on the general citizenry by the huge data harvesting firms. Even if we all unthinkingly click “accept / whatever” on every website we ever go to now, tutting at the half-second delay it causes – the point is that those warnings and requests for your permission are there, and they didn’t use to be.
For the more “experienced” among you, I found it all very reminiscent of the Y2K chaos a few decades ago. By way of a quick recap, the millennium bug timeline went like this:
- Dawn of Computing: Date format of dd/mm/yy* casually becomes standard practice when introduced by someone wearing flip-flops in the office.
- 1980s: Somebody realises that having a two-digit year will be a problem at 00:00:01 2000, as the computer will think it’s 1900. This is not ideal. Time is kind of important for computers.
- In the early 1990s: Everybody realised the same thing. Nobody does anything.
- In the late 1990s: Everybody panicked, and many people did many things. Not necessarily the right things.
From 1994, I was looking after a large network for a big financial institution, at the heart of which were some vast mainframes. Mainframes really did not like time discrepancies—in fact, just changing the time to BST and back each year was a major operation that always seemed to end in a “close your eyes and push the button” moment no matter how prepared we were.
The preparation for Y2K from 1998 onwards was frenzied. Everyone I knew in the industry was focused on pretty much nothing else. Projects were put on hold or abandoned worldwide, companies were formed to address the issue with armies of consultants, major vendors made reassuring (although not always) noises and the mainstream press went to town with the story. Millions and millions of pounds of hardware and software that could not be made compatible were binned and replaced. As well as partying like it was 1999, everyone had an eye on the sky as the clock ticked over to 01/01/00 to check for plummeting planes and satellites and TV crews were on standby outside nuclear power stations and missile bases in case they had to cover a computer induced meltdown or an unintentional start to WWIII (seriously). I’m not sure a live feed outside the gates would have helped much.
Tldr:
It was all fine. No planes fell from the sky, and only a few minor things went wrong for a few minutes. My team played lots of giant Quake matches on the LAN and billed lots of overtime while we waited for the new millennium to begin with our party hats and those glasses that spelt 2000 on.
During the final months of the run-up to GDPR, when working on the other side of the fence as a solutions provider, we were both helping customers understand how the regulations affected them and put a plan together to deal with it, and we followed the exact same process for our own business. Like the run-in to Y2K, everything else went by the wayside as we all tried to do our best before the go-live date.
There was a lot to do – from identifying the data we held or processed and justifying it to ourselves, then to the owner of the data and gaining agreement to carry on – to deleting all the stuff we didn’t need and putting processes in place for documenting changes and responding to challenges from third-parties, everyone was kept busy and department heads suddenly had to think about why they had the data they had (a very good thing). Fortunately, the target was not quite inviolable this time – the GDPR had been left quite ambiguous in some areas, it seemed deliberately, to allow a wide range of interpretations to be applied while remaining compliant. This was good news given the level of fines the ICO was empowered to levy should you be discovered to be in breach (up to 4% of global turnover). There was also a soft launch, with very little enforcement action in the first year to eighteen months, after which it began to ramp up as regulators throughout Europe started to use their new teeth.
I remember quite a lot of complaining at the time, certainly from within the IT and cyber-security teams, about the amount of effort, time, and lost opportunity it was costing us to prepare for the enforcement date. Still, 5 years later, I have to concede that it’s been very much for the greater good, and for the personal good too. Companies now know what data they hold, and why (or why they think they do). They probably even know where it is, and they may even know what to do if you demand they give it to you or delete it – it’s a huge step for consumer protection in an era where you are the product. This effectiveness is largely because, from the outset, the regulations were equipped with big, sharp teeth and nobody can afford to ignore a fine of the size now regularly levied on miscreants – how about that $1.2bn bill dropping through your door, Meta?
The CMS GDPR enforcement tracker here is fascinating to read. You could argue that it’s a little depressing that the enforcement actions are increasing year on year, but for the reasons aforementioned, I’m pretty sure that’s not, on the whole, because of wilful avoidance; it’s probably down to more active enforcement (nearly 1000 people are on the job in the UK now) and companies simply making mistakes, which seems to be reflected in the variable level of the fines issued.
Lastly, perhaps the largest positive of the Y2K and GDPR efforts is that we will all be well rehearsed for the sweeping AI regulation, which I’m sure is just around the corner.