Guest Blog /

Digitizing GDPR In Financial Services – Part 4 – The Rights of the Subject

Corix Partners guest blog banner

In the previous article in this series, I looked at the roles of Controller and Processor and the core issue of who is responsible for managing the range of identities and functions within an organisation vs who manages the technical mechanisms that authenticate, authorise and correctly segregate duties.

Now it is time to turn to the subject’s perspective on this regulation. Perhaps the most significant thing that GDPR introduces to the existing panoply of data protection legislations is that it does not just consider the subject’s data that is held but the processes and their lifespan that it is used for.

The notion of a business process continues to be a stubborn challenge for IT Architects to define and manage – indeed in recent times there has been a significant trend for IT Architects to brand themselves as “Business Architects” to avoid being sucked into the ‘agile’ coding treadmill and its often inevitable journey to outsourcing and offshoring

The challenge of how a business process is actually defined in a computer system is a complex one that has also become a classic case study in architectural entropy.

In the mainframe era processes could be clearly identified within the batch systems that were operated to keep the expensive machinery busy at all times. Once terminal based interactive systems were developed and basic email/data messaging platforms appeared then the processes disappeared into a flurry of arbitrary messages. Domain specific BPM/Workflow engines were developed an attempt to structure and manage these email and data interchanges but in the present “cut and paste” era of software engineering these libraries of transformation and routing code have now become embedded arbitrarily into core business application platforms.

The result of this technology induced anarchy is that knowing how many processes are actually codified within a complex organisation and where the definition and operating state lies presents a significant operational risk. When specialist operational risk and human factors teams are called in to analyse why organisations have catastrophic failures their first pass discovery often highlights the lack of understanding of what the core business processes are and who does what let alone the consistency and efficacy of how they do it.

Trying to map a set of subject related data records that themselves have evolved over time onto this jungle of activity is therefore an impossible task unless some form of understanding and order can be imposed on it.

In Financial Services some attempts have been made to try and define consistent nomenclatures for processes and artefacts, perhaps the two most notable poster children are BIAN and FIBO. However despite a lot marketing and tacit support within the industry they have yet to make the breakthrough to widespread utilisation. The video posted on the BIAN site of a recent meeting followed by an apparently convivial dinner did nothing to engender belief in any substantive delivery either.

I strongly recommend that the FIBO and BIAN initiatives merge to move the nomenclature process forward and that the likes of IFRS also participate to formally embed them into existing financial standards

We are all Data Subjects and it would be nice to hope that whenever we need to make GDPR governed Data Subject Access Requests in the future that these are reported using agreed standard nomenclature especially in a world where we are constantly encouraged to switch accounts to maximize value.

As in previous articles it is time for the “exercise for the reader”. This time go and ask your business architects how well they understand where the business domains & processes they claim to own are held in the commercial applications and physical IT equipment that the company uses.

Next time I will look at the challenges of “Transfer of Data” in the realm of GDPR.


Rupert Brown is CTO of The Cyber Consultants. He has an unrivalled track record over 30 years in Banking IT comprising senior Strategic and Operational roles in Frontline Application Architecture, Development and Delivery as well as ground breaking Enterprise Technology Infrastructures. This has also been complemented by similar client facing leadership roles for Information Vendors and Silicon Valley “Unicorns”. He was formerly a Chief Architect at UBS and before that served in senior roles at Bank of America Merrill Lynch, Reuters, Paribas and Morgan Stanley.

This article was first published on Linkedin Pulse on 14th February 2017 and can be found here

The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.