Welcome to the final part of my series of articles that have been looking at the challenges that GDPR poses and what can be done to mitigate them.
At the time of writing (Mid March 2017) we need to recognise that
a) No major organisation is GDPR compliant whatever they may claim.
b) No consulting organisation that is offering GDPR readiness audits is itself compliant.
c) You cannot “buy” GDPR compliance – there are no technology silver bullets.
GDPR is fundamentally a “operational hygiene” regulation – and as I touched on in part 5 the parallels between the changes in the food supply chain (“From Field to Fork”) after the BSE crisis and the its anti-tamper responses to “terrorism” threats should be regarded as a clear indication of how IT needs to adapt and the scale of the remediation work.
All of us are aware of food hygiene star ratings when we go into a coffee shop or restaurant and we have a good inkling of how these are awarded given the range of cockroach infested “Restaurants from Hell” reality TV shows on the airwaves. Unfortunately data breaches are mostly silent and invisible and it is difficult to draw a direct link between a particular technology incident and its group of hand wringing victims, a forgotten link to a dusty corner of YouTube will be their only epitaph.
At the moment virtually all organisations regard GDPR as just another cost burden rather than an opportunity to improve their operational efficiency and effectiveness. Those that put their heads in the sand and grumble about the burden of regulation are going to be the losers as the regulation starts to be enforced.
The winners in the GDPR stakes will be those that truly “transform” their IT systems architecture – not by slogans but by sound evidence based design that is highly automated and driven by a consistent set of identities, roles with embedded taxonomies and ontologies.
We can be sure that there will be many high profile sacrificial victims and the prospect of fines up to 4% of Global Turnover has certainly piqued the interest of the legal profession (how GDPR compliant are their systems I wonder ?) . Litigation and successive cycles of appeal and plea bargaining are not going to make things any better and will only motivate hackers and whistleblowers more if only to make more mischief.
Perhaps the biggest challenge is how to wean ourselves off the current addiction of the “need to code” be it in Python or R or the JavaScript languages du jour.
GDPR is not about code – it is about data.
Very few developers I have encountered ever mature to building data driven applications or understand generative techniques. The simple act of cloning a GitHub repository and ‘borrowing’ a piece of open source to complete the next sprint has become the “fix” that keeps a coder on the agile sweatshop treadmill.
Computing technology is still a nascent industry – its first generation pioneers have only recent passed away and most the leaders of the internet wave are only just entering middle age.
GDPR is not some sort of old guard IT practitioner “I told you so” reaction, it is about intellectual rigour, professionalism and respect for the individual and we must apply it accordingly.
Rupert Brown is CTO of The Cyber Consultants. He has an unrivalled track record over 30 years in Banking IT comprising senior Strategic and Operational roles in Frontline Application Architecture, Development and Delivery as well as ground breaking Enterprise Technology Infrastructures. This has also been complemented by similar client facing leadership roles for Information Vendors and Silicon Valley “Unicorns”. He was formerly a Chief Architect at UBS and before that served in senior roles at Bank of America Merrill Lynch, Reuters, Paribas and Morgan Stanley.
This article was first published on Linkedin Pulse on 14th March 2017 and can be found here
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.