Could GDPR Be The New Millennium Bug?

GDPR could be a disaster or a damp squib


In 1999, people across the world were terrified about the prospect of the millennium bug. This fear came from the prophecy that as the clocks ticked over from 23:59:59 1999 to 00:00:00 2000 nuclear bombs would spontaneously explode, planes would fall from the sky, power plants would shut down, and the world would basically stop. The reality was that as the clocks turned from one millennium to the next, people drank and watched fireworks, then nothing happened the next day. It was reassuringly anti-climactic.

The reason that the world wasn't destroyed by VCR clocks is that companies, governments, and individuals all took sufficient actions to prevent it. Millions of computers were checked, airlines put action plans into place, nuclear bunkers were secured, and all of this meant that when the final second of the 20th century was behind us, we didn't end up with ash and destruction.

Many believe that companies today find themselves in a similar situation, but one that they are walking into without knowing it - GDPR.

GDPR, the General Data Protection Regulation, is a law from the EU coming into force in May 2018 that will impact any company who has a European citizen in their database. Given that European citizens are in every country in the world and exist on practically every customer database in the world, it means that this legislation has the potential to impact every company on the planet. The punishments for not adhering to these rules is also massive, with fines of up to €20 million.

In fact, according to a survey done by Litmos Heroes, 30% of UK businesses have not even heard of it, let along begun making preparations for its implementation. If this is accurate and the assumptions about the huge implications of GDPR then this has the potential to be devastating for those companies.

However, much like the millennium bug, for most companies, this may be a storm in a teacup.

This is because although the world's most famous companies are often B2C, the world's most numerous companies are B2B focussed. This means that there is confusion around whether databases with only business email address and data are personal data or not. If they aren't then B2B companies, which outnumber B2C companies, may only need to do minimal work to comply with GDPR. However, one thing for certain is that due to the ambiguity in what actually constitutes personal data when dealing with business email addresses, B2B companies at least have a big loophole through which to operate outside of the GDPR.

Instead of needing to go through the exhaustive process that many companies will be required to do, B2B will instead simply need to remove or opt-in any personal email addresses, which is a simple enough process, then they will be complying with the new regulation as they won't be holding the personal data for any EU citizens. In the future this may be different, with another bill, the e-Privacy Regulation, looking to dovetail from the GDPR, which includes considerably softer opt-in rules and much more flexibility in terms of how and when people can be contacted. There is also not the requirement to provide all the information back to subjects upon request, which saves a huge amount of work for those companies.

So, at present with the ambiguity around GDPR it could be that we see it become the damp squibb that the millennium bug was, or it could become the huge issue that the millennium bug was predicted to be. Unfortunately, thanks to the ambiguity of language in the regulations and no indication of how aggressively it will be policed, it is impossible to know. 


Read next:

Why Blockchain Hype Must End