The Millennial Bug (Y2K) & GDPR – Some issues to think about…

This is a teaser! Something to make everybody think holistically about the new challenge of the organizations. Please the idea is to shake some concepts about the similarities and differences between the two huge organizations challenges we face in the past & now.

The last big challenge the organizations had was the Y2K (or the fear of the applications had problems in the change from the year’s dates from 1999 to 2000). This issue moved all the companies worldwide to fix or minimize the risk their application can had in their applications’ codes that supported their businesses. The risks were basically the brand’s damages, the lost of revenue, the failure to support their operations and so on… But most of the problems were IT related.

Now the new challenge goes beyond IT, despite the IT still is a critical part of the problem. The GDPR challenge goes far away of only IT issues. It’s an Organization main issue, because is multidisciplinary problem, that must be handled for all the Organization, instead of the past. Now you have problems to be solved by so many different areas of the Organization, together, with the focus to be complaint with a WW legislation that has several tastes, cultural specificities, political & economics interests, financial & economic particularities, so many points, but, summarizing: $$$$$,

One point that raised my attention is the kind of the third parties have place in both cases: in the old one, several organizations used 3º parties to do the analyses & fixes in their codes to avoid problems. The 3º parties did alone (basically) the work the Organizations didn’t have the resources (all of them) to do. From find the possible bugs the codes had, fixing them when found, and doing tests to be sure that the new codes run ok and didn’t jeopardize the organizations’ objectives.

Now what raise my attention is exactly the same thing, but with an enormous difference: It’ll be impossible to push to 3º parties all the tasks that are required to implement some solution that can face the reality of each particular customer. There’s not a simple, basic, guided, ready, out of the box, approach to do it. At least without the fundamental participation of the Organizations’ people, that actually keep & maintain the culture, the processes, the methods, the businesses practices and etc… This time, there’s no way to outsource everything. Participate of the whole process of be compliant with the GDPR and the derivations/localizations.

This is a simple table to illustrate some aspects of the similarities and differences:

Aspect:

Similarities & Differences:

Business

Y2K

·        Risk of loss of revenue

·        Risk for the brand

·        Risk for the business operation

·        Etc…

GDPR

·        Everyone above

·        Fines

·        IT applications, architecture, BPM, databases’ administration,

APM’s & etc…

·        Legal issues

·        Adjustment of the Organization’s processes, culture, security actions and etc…

·        Map new ways of improve the business processes

·        Multidisciplinary actions from the different areas of the Organization

·        Unification of the objectives of the Organization

·        Etc…

Architecture

Y2K

·        Very low opportunities to change, the objective is keeping the business going on

·        Only mature Organizations saw that opportunity as a break in the status quo to implement changes in the DEV/Sec/Ops, no matter how it’s implemented

·        No strategic investment, just the needed to keep businesses running

·        Strong outsourcing where is possible

·        Small participation of the Organization’s key people

·        Architecture is not an IT issue only

·        Etc…

GDPR

·        Huge opportunity to review architecture changes, if not a whole IT, at least the critical applications, with the collaboration of the key users

·        Architecture means Enterprise Architecture, not It only IT

·        Map the dependencies between the applications, review of the databases structure, etc…

·        Change in the board perception of the importance of the changes in whole company

·        Strategic investments instead of tactical ones

·        Outsourcing is not the silver bullet. The participation of the Organization with the key people is part of the success process

·        The importance of Dev/Sec/Ops is realized by the Organization, as the importance of know the dependencies between the applications & etc…

·        The contracts with the 3º parties must be reviewed, because they left the biggest risk with the customer only. The SLA’s are very weak in terms of protecting the customer’s business, with very loose control of what the 3º parts delivers. there’s no control of the Organization’s critical people in the key issues of the contracts made from the HQ’s

·        New models of contracting are needed

·        Etc…

Legal

Y2K

·        Problems with applications that created problems to the customers.

·        Potential lawsuits from the customer defense organizations

·        Fights with 3º parties, service provider and partners that added risk to the applications. Hard do find the root cause of the problems, with high cost to fix the problems

GDPR

·        Legal issues with the certification entities, government, deadlines, risk of legal fines, risk of refund of problems caused by the Organization

·        Risk to the brand

·        Lack of control of what the 3º parties are delivering to fix the issues and guarantee the compliance with the standard

·        Cost of all above and etc…

·        Outsourcing is part of the solution, not the solution itself, and there’re many specific areas of the legal aspect to be covered by a single partner/provider

·        Etc…

IT

Y2K

·        Tactical approach

·        Code focused

·        Outsourced almost 100%

·        Domestic risks

·        Internal controls

·        Small or none participation of other areas of the Organization

·        Small or limited new technology implemented

·        No architectural approach

·        Etc…

GPDR

·        Complete architectural approach

·        Opportunity to develop an Enterprise Architecture based on what is digging from the actual one. Opportunity to implement new approach of the IT way to deliver services to the Organization

·        Applications focused

·        External exposure & controls

·        Internal key people’s Organization is critical to the success or the initiatives

·        New technological, new processes & methods must be implemented

·        New controls must be implemented

·        Opportunity to implement more cheaper infrastructure resources

·        High dependency of other areas of the Organization

·        Work as a team with the Organization

·        Etc…

Organization

Y2K

·        Domestic issue

·        Loosed controlled

·        High dependencies of 3º parties

·        No need to integrate different areas of the Organization

·        Low risk for customers/administrated risk

·        No strategic thinking

·        Silos arctecture

·        Etc…

GDPR

·        External issue / need to be certified on time

·        Highly controlled

·        No more silos accepted / share information is crucial

·        High dependencies of 3º parties, but high participation of the key people of the Organization

·        High risks on every side we look at

·        Multidisciplinary approach of the application issues, both business and IT and other areas

·        Shared information / no silos accepted

·        Brand risks

·        Risks of legal & financial fines/adjustments

·        Etc…

As I mentioned in the beginning of the article, it’s a teaser to try to people starts to think about the challenges differences of two moments of the IT/Organizations life. I look to raise more the differences than the similariries of both challenges because the similarities will be easy to identify.

I’m sure that this list deserves a lot of new stuff, but as the idea was to raise the attention to the subject, I didn’t focus in try to exhaust the subject, at least because there’re a lot of people much more prepared to discuss all or part of the issues raised in this article.

Thanks if you read until here and please add your comments. A lot of people will profit with them.

Abraços

Mauricio Medina