Is GDPR Y2K all over again?
Almost 20 years ago, the IT industry was turned upside down with fear and hysteria.
Y2K brought mass chaos that gripped not just IT professionals, but business as a whole. Or as the media proclaimed, “the world as we know it!”. It was a boon for IT spending, and a windfall for consultants and IT vendors peddling “solutions” spiced up with a dash of impending doom.
The pending implementation of the EU’s General Data Protection Regulation (GDPR) has driven a similar rush. So … is GDPR the new Y2K?
Y2K vs. GDPR
GDPR is a broad-sweeping data protection regulation that will affect all organizations that do business with EU residents regardless of where those organizations are based. It regulates how companies collect, manage, use and delete user-identifiable data.
So, does GDPR look like Y2K all over again? In many respects it does:
- A drop dead date? Yep!
- Media hype? Oh yes!
- IT vendors selling on fear (or maybe more politely, over simplifying the message)? Unfortunately!
- Large penalties if we get it wrong? Yes, but in dollars, Euros and pounds rather than nuclear powerstation meltdowns!
GDPR an opportunity, not a threat
But fear not. It’s not all doom and gloom. It’s actually a fantastic opportunity. Like all good politicians say, “Let’s not waste a good crisis!”. GDPR is just what we need to kick start an organization-wide culture change around data.
I think data management in an organization is a little bit like my hair: I know I should get a haircut, but I’m just too busy. A tongue in cheek threat by my partner is just what I need to kick me into gear and book in that time with the hairdresser. GDPR is just that! It’s our motivation around the obvious.
5 ways GDPR can positively impact your workplace
Here are my five tips to make sure GDPR is not “a reactive event”, but a pragmatic start to an organization-wide cultural shift around your treatment of data:
1) Keep it simple
If your GDPR journey is only present in the domain of the lawyers, procedure makers, and management, then you’re missing an opportunity, and arguably not even following successful practice. Great data management belongs in the hands of all, particularly those at the coalface.
Take the time to keep it simple and talk to everyone in your organization. Concepts like the following can be understood by all:
- What is personal information and where is it kept
- Understanding the right-to-forget and right-to-access
- The personal impact of a data breach
Knowledge allows us all to play a part to protect data in our organization.
2) Remember it’s about people
All too often we focus on the systems and procedures and forget the people element. History shows that the majority of data breaches or policy slips occur because of internal human error, rather than “external hackers”.
Your GDPR journey should be the start of a cultural shift around data protection. A culture that addresses data from the printout on their desk, to details placed in their last email. Focus on people first, then the systems – after all, your employees are community members too, so appeal to this sense of purpose. Use it to support change, ownership and help forge data security into culture.
3) Don’t fall for “tool seduction”
It’s human nature to look for quick solutions to complex problems. Surely there’s a tool for that?
GDPR is NOT:
- Solely a cybersecurity problem that can be fixed with a firewall
- Solely a physical document that can be fixed with implementing secure print release
Each these items help, but they’re not the whole solution. Don’t be seduced into thinking one new shiny tool is the answer. Great craftsmen use many tools.
4) Avoid IT vendors overselling
Be wary of vendors proclaiming, “Get GDPR compliant with XYZ”. Hooking into fear or uncertainty may be effective, but it’s not smart marketing! Drill into the detail and understand how something helps at a first-principle level. Ask how it changes behaviour or reduces risk.
Likewise, on the other end of the spectrum, keep an eye out for IT solutions that don’t even acknowledge GDPR. Any computer system that stores data may be called upon to support a right-to-be-forgotten request. Ask vendors what features they have in their software to make your “GDPR life” easy. Do they have a “right-to-forget” button?
5) Don’t stop at GDPR
Lastly, the introduction of GDPR is a start, not a destination. The Equifax breach and others were wakeup calls for us all. Best practice data management will always be evolving, and evolution is best supported when your organization’s culture embraces it. Use GDPR to kickstart your workplace’s awareness around data.
Let’s make GDPR the start, rather than an end like Y2K.