Guest Blog /

“Digitizing” GDPR in Financial Services – Part 3 – Controller and Processor

Corix Partners guest blog banner

Part 3 of this series considers two angles on the issue of Controllers and Processors

Firstly firms need to consider the tricky technical subject of Identities and Roles. It is imperative that the path from the foundational identity management systems to the actual applications that do the work is as small as possible and that there are as few “types” of identity and supporting management systems as necessary.

Identities & Roles are a data management challenge that sits firmly on the CDO’s desk although I suspect many have not focussed on it to date – NB Authentication and Authorisation are technical mechanisms that belong on the CISO’s desk

In the troubleshooting and architecture roles I have held following the crash of 2008 and the various subsequent rogue trading scandals I have often found myself looking through the designs of major organisations Directory and AuthN/Z platforms and their supporting operational metrics. What I found was that many had been left to rot since their initial delivery either during the migration from Windows NT4 or Sun’s acquisition of Netscape.

If the CxO group responsible for running a GDPR programme in your organisation are not treating the foundational identity systems within their IT portfolio as core to compliance then frankly their organisation cannot be said to have achieved it.

As a salutary tale I know that one of the UK’s big 4 management consultancies chose to outsource the management and operation of their corporate directory platform and managed to split the contract across 2 different companies. The result was that they could not debug a replication/synchronisation fault that caused their entire client billing system to be offline for several days with lots of finger pointing between the 3 entities involved.

NB Identity is not just about people but also about location and legal entity or corporate function – especially in large multinational organisations with extended supply chains and of course having consistent “on behalf of” identities for subcontractors.

As we embed location and other metadata capabilities into mobile and corporate networks it is important that the identities used within the business data domain are consistent with those in the infrastructure domain – this is often a major faultline.

Segregation of Duties is a natural corollary to getting a consistent set of identities and roles – whilst many banks have built rather rickety patchwork solutions post Leeson, Kerviel and Adeboli in the wider GDPR space many corporates have not – this space is ripe for technical and operational reform

Having considered the technical aspects of the identities and roles that define Controllers and Processors within IT systems I shall now turn to some human factors.

Do the controllers and processors in your organisation really understand their legal responsibilities and how do you reinforce these without producing the most banal “Janet and John” training material that bedevils corporate workforces today and makes HR and the management “culture” that imposes them appear naïve and wasteful.

A potential area for addressing this is the notion of Concept Inventory based training where rather than completely wrong answers in the multiple choice answers the incorrect answers are carefully formulated to be “distractors”. The best way of actually implementing this is to use a Risk Based Concept Inventory approach where the “distractors” are based on actual incorrect actions that employees took that caused operational problems. In the next part of this series I will explore the notion of process and where operational errors occur.

In the meantime the “Exercise for the reader” for this part of the series is to ask your CDO how many identity types they manage and where they are kept then ask your CISO whether they know which business systems authenticate and authorise against each of their security platforms.


Rupert Brown is CTO of The Cyber Consultants. He has an unrivalled track record over 30 years in Banking IT comprising senior Strategic and Operational roles in Frontline Application Architecture, Development and Delivery as well as ground breaking Enterprise Technology Infrastructures. This has also been complemented by similar client facing leadership roles for Information Vendors and Silicon Valley “Unicorns”. He was formerly a Chief Architect at UBS and before that served in senior roles at Bank of America Merrill Lynch, Reuters, Paribas and Morgan Stanley.

This article was first published on Linkedin Pulse on 7th February 2017 and can be found here

The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.