The Y2K bug reshaped the technology industry. The sheer scale of the problem, coupled with the fact that the entire world was up against a hard and inflexible deadline, meant that organizations around the globe were forced innovate and change the way they conducted business in an unprecedented way.
Now, nearly two decades later, we find ourselves facing another potential "dinosaur killer." The European General Data Protection Regulation (GDPR), a sweeping piece of regulation that will affect all organizations that do business with EU residents regardless of where those organizations are based, goes into effect in just five months. And as this deadline looms, I can’t help but see similarities between our current situation and Y2K.
The Y2K problem parallels GDPR in that both scenarios involved a hard drop-dead date that brings with it severe penalties on a global scale. But despite the massive penalties that noncompliance with GDPR carries, I simply haven’t seen the same degree of fervent activity to mitigate the risks as we saw leading up to January 1, 2000. In fact, preparations for GDPR are going terribly, with Gartner estimating that fewer than half of the organizations that will be affected will be in full compliance with the new laws by the end of 2018. This is a huge problem.
All told, companies around the world spent an estimated $300 to $500 billion to address the anticipated problems that would occur when our clocks rolled over from 1999 to 2000. In the process, the entire tech industry was transformed, as companies were forced to abandon outdated systems en masse in favor of ERP architecture that not only solved the Y2K issues but offered radically enhanced capabilities over their predecessors.
The hard, immutable deadline of Midnight, 1999 forced an overhaul of data management hardware, software and procedures at an unprecedented scale that may never have occurred otherwise. That being said, the Y2K bug was at its core a very well-understood technology problem. Engineers had known about the issues that led to the Y2K scare for decades, and when the bill finally came due and the world scrambled to meet the challenge, it was relatively straightforward (albeit extremely expensive) to contain the issue and address it with technology upgrades that companies had years of lead time to implement.
GDPR, on the other hand, isn’t just a technology problem -- although technology certainly plays a key role. It is also a (widely poorly understood) legislative issue that has the potential to affect nearly every department within your business. Under GDPR, organizations can be punished for violations of record keeping and privacy impact assessment obligations, even if they suffer no actual data breaches. Furthermore, if a breach does occur, regardless of who was responsible, it will be the organization that pays the price, both in terms of financial penalties and reputational damage. All of this means that making your organization GDPR compliant will require thoroughly evaluating and potentially changing how your company collects, processes and secures personal data, which carries far-reaching implications from legal, technical and organizational perspectives.
The inexorable approach of the GDPR deadline has caused considerable panic, but I believe a little panic is a good thing. It means that business leaders can no longer kick the can down the road, forcing innovation and upgrades to technologies and processes that have been neglected for far too long. The massive breaches in security suffered by Equifax and others are a blaring wakeup call that “business as usual” when it comes to data handling and protection is woefully inadequate. It’s time to shake things up, adapt and evolve.
I believe that, like the Y2K problem, GDPR can serve as a necessary catalyst in bringing our data practices into alignment with the realities of the modern world. These regulations will force organizations around the globe to evaluate and improve the handling, security and control of the information they are entrusted with. This will, in turn, expose significant opportunities to update and enhance their business processes and technologies while improving the integrity and overall quality of their data. And while it is now truly down to the wire to prepare for GDPR, my fervent hope is that members of the global business community will seize upon these opportunities and respond with the same level of tenacity, innovation and investment to prepare for this deadline as they did in the months leading up to New Year’s Eve, 1999.
