August 9, 2023
Ok – so the GDPR is technically older than 5 years – it was adopted in 2016 but, you’ll remember, not enforced until 2018, hence getting in early on the 5-year claim.
If, like me, you were working in cyber security between 2016 and 2018, you might get a bit twitchy when people mention the letters GDPR. It was a feeding frenzy for some in the industry as vendors and service providers tried to pivot and re-brand themselves as somehow able to “solve” the GDPR challenges. I recall more than one pitch explaining how all my compliance issues would be over immediately after the receipt of a purchase order.
As a quick recap, the GDPR is an EU Regulation (i.e. you have to implement it) which is designed to protect how an individual’s data is stored, processed and shared – including why it’s done in the first place and giving people the right to see what is held about them and get it deleted. Powerful stuff designed to curb the unrestrained feeding frenzy of data ingestion and re-sale for marketing purposes inflicted on the general citizenry by the huge data harvesting firms. Even if we all blindly click “accept / whatever” on every website we ever go to now, tutting at the half-second delay it causes – the point is that those warnings and requests for your permission are there, and they didn’t use to be.
For the more “experienced” among you, I found it all very reminiscent of the Y2K chaos a couple of decades ago. By way of a quick recap, the millennium bug timeline went like this:
– Dawn of computing – date format of dd/mm/yy* casually becomes standard practice when introduced by someone wearing flip-flops in the office.
– 1980s – somebody realises having a two-digit year is going to be a problem at 00:00:01 2000 as the computer will think it’s 1900. Not ideal. Time is kind of important for computers.
– Early 1990s – everybody realises the same thing. Nobody does anything.
– Late 1990s – everybody panics, lots of people do lots of things. Not necessarily the right things.
From 1994 I was looking after a large network for a big financial institution, at the heart of which were some vast mainframes. Mainframes really did not like time discrepancies – in fact, just changing the time to BST and back each year was a major operation which always seemed to end in a “close your eyes and push the button” moment no matter how prepared we were.
The preparation for Y2K from 1998 onwards was frenzied. Everyone I knew in the industry was focused on pretty much nothing else. Projects were put on hold or abandoned all over the world, entire companies were formed to address the issue with armies of consultants, major vendors made reassuring (although not always) noises and the mainstream press went to town with the story. Millions and millions of pounds worth of hardware and software which could not be made compatible were binned and replaced. As well as partying like it was 1999, everyone had an eye on the sky as the clock ticked over to 01/01/00 to check for plummeting planes and satellites and TV crews were on standby outside nuclear power stations and missile bases in case they had to cover a computer induced meltdown or an unintentional start to WWIII (seriously). I’m not sure a live feed from outside the gates would have helped much in either case.
Tldr:
It was all fine, no planes fell from the sky, a few minor things went wrong for a few minutes, my team played lots of giant Quake matches on the LAN and billed lots of overtime while we waited for the new millennium to begin with our party hats and those glasses that spelt 2000 on.
During the final months of the run-up to GDPR when working on the other side of the fence as a solutions provider, we were both helping customers to understand how the regulations affected them and put a plan together to deal with it, and following the exact same process for our own business. Just like the run-in to Y2K, everything else went by the wayside as we all tried to do our best before the go-live date.
There was a lot to do – from identifying the data we held or processed and justifying it to ourselves, then to the owner of the data and gaining agreement to carry on – to deleting all the stuff we didn’t need and putting processes in place for documenting changes and responding to challenges from third-parties, everyone was kept busy and department heads suddenly had to think about why they had the data they had (a very good thing). Fortunately, the target was not quite so inviolable this time – the GDPR had been left quite ambiguous in some areas, it seemed deliberately, to allow a wide range of interpretations to be applied while remaining compliant. This was good news given the level of fines the ICO was empowered to levy should you be discovered to be in breach (up to 4% of global turnover). There was also a soft launch, with very little enforcement action in the first year to eighteen months, after which it really began to ramp up as regulators throughout Europe started to use their new teeth.
I remember quite a lot of complaining at the time, certainly from within the IT and cyber-security teams, at the amount of effort, time and lost opportunity it was costing us to prepare for the enforcement date, but now, 5 years later, I have to concede that it’s been very much for the greater good, and for the personal good too. Companies now know what data they hold, and why (or why they think they do). They probably even know where it is, and they may even know what to do if you demand they give it to you or delete it – it’s a huge step for consumer protection in an era where you are the product. This effectiveness is largely because from the outset the regulations were equipped with big, sharp teeth and nobody can afford to ignore a fine of the size which is now regularly levied on miscreants – how about that $1.2bn bill dropping through your door, Meta?
The CMS GDPR enforcement tracker here makes fascinating reading. You could argue that it’s a little depressing that the enforcement actions are increasing year on year, but for the reasons aforementioned I’m pretty sure that’s not on the whole because of wilful avoidance; it’s probably down to more active enforcement (nearly 1000 people on the job in the UK now) and companies simply making mistakes, which seems to be reflected in the variable level of the fines issued.
Lastly, perhaps the largest positive to come out of the Y2K and GDPR efforts is that we will all be well rehearsed for the sweeping AI regulation which I’m sure is just around the corner.