The GDPR Could Be the Next "Millennium Bug"

Interview with Brad Hathaway

By Miran Varga, Delo, 13.03.2017

Brad Hathaway, regional manager of the data management department at SAS, is convinced that compatibility with the GDPR and detailed data management in the company should be undertaken immediately. At the same time, he sees the GDPR as an ideal opportunity for companies to thoroughly organise their IT environments, since they will have to dedicate sufficient assets to this project. 

What should companies know about the new General Data Protection Regulation (GDPR)? How will it affect their business?

There is no universal answer to this question, since every company will experience this regulation differently. At the moment, you can find multiple IT systems in companies that were developed organically, resulting in different combinations of business software and data between companies. However, rather than concerning themselves with data stored in their central IT systems, companies should be more concerned about data stored outside such systems, i.e. data stored in various documents, spreadsheets, and other files.

The methods companies should use to ensure compatibility depends on where their data is located – some should conduct the assessment and organisation by themselves, while others should work with systems integrators. To start with, companies should be aware that the GDPR affects all companies – small and large – that store European citizen’s personal data. Even though 24 May 2018, when the regulation enters into force, might seem far off, many companies may be underestimating the difficulty of the task they are facing.

How should companies deal with their data storage?

They should definitely take advantage of technological solutions that include data management technology. Regulators will want to see companies having control over their customers’ personal data. Companies will prove their compatibility with regulation requirements by providing access to data and identification of personal information in data sources, the inclusion and inventory of personal data, and protection using techniques such as anonymization and encryption. Companies will also have to show regulators who in the company has access to users’ personal data, and ensure an audit trail. Once companies start organising personal data in such detail, it is highly recommended to expand the overview and organisation to other parts of their IT infrastructure.

Are there any shortcuts to ensuring compatibility?

The only shortcut is to use technologies that help companies achieve compatibility more quickly. Most companies will use the services of systems integrators or consulting companies, performing a review of their exposure to GDPR requirements and determine the risks. These are related primarily to the fact that companies cannot find and manage all data sources where personal information is stored. A manual review of all folders and files is simply out of the question for most medium-sized and large companies as there is simply too much data. There are also two scenarios that represent great risks to companies: firstly, if the company fails to find all the sources of customers’ personal data during a review and the system is then hacked and this data exploited; and secondly, unsuitable protection or use of this data without the users’ approval.

What advice would you give to companies?

To guarantee a complete review, use automated tools that can intelligently search for and identify personal data. These tools have to be adapted to the local market, since a tool optimised for searching for US citizens’ personal data will not be as effective when searching for Slovenian citizens’ personal data. Some tools can be adapted, while other cannot; companies should therefore be careful when using such tools.

What effect will the GDPR have on the IT industry?

There is a chance that the GDPR will become the next “Millennium bug”. Similarly to how companies were worried in 1999 whether ten- or twenty-year-old or even older IT systems would be capable of rolling over to 2000, companies are now wondering whether they are capable of such detailed personal data management. A review of all IT sources had a dramatic effect on the industry, but primarily because companies were putting it off to the last minute. There are similarities to the situation with the GDPR: companies are aware that they are facing a thorough review; however, since the deadline is next year, they are simply putting it off, while some are, in fact, intentionally waiting for clearer guidelines and instructions from the EU. But this will leave them with barely any time to complete a very complex task.

Will technological progress in the future lead to constant regulation changes?

This is hard to predict, but the trends of big data and the internet of things predict that companies will store an increasing amount of data, and their review will be increasingly complex.

Can the public develop a more conscious attitude towards data usage?

Data is omnipresent nowadays and are perceived as such by the public. They are part of everything we do, be it shopping online, spending time on Facebook, paying speeding tickets, or sending e-mails. We “leave” personal data everywhere. Today, Internet access is as important as electricity and water. Even though we are surrounded by data, I would not characterise the public as data-conscious.

Could data protection and privacy become school subjects in the future?

Data protection and privacy protection likely will not become school subjects, but will be discussed much more in schools. In the future, children and young adults will be much more aware of their rights regarding data usage, while these two topics will be addressed in much more detail at certain faculties. The faculties of computer science, faculties of law, and similar faculties will have to place a greater focus on these topics, since future IT systems and solutions will reflect legislation that states that privacy protection must be included by default in future system solutions.