Guest Blog /

“Digitizing” GDPR in Financial Services – Part 7 – Specific Situations

Corix Partners guest blog banner

Welcome to the penultimate part of this series of articles which will look at a few corner cases and left over thoughts before I wrap up with a summary next time.

Let’s start with a tale from the first job I had after I graduated which was building hotel front office systems on the first generation of IBM PC’s before the advent of Ethernet and Netbios let alone TCP/IP.

When we installed a system one of the specific sections of the end user training was how to hide a “credit blacklist” in the system to deal with known bad clients and scammers – even in those days it was totally illegal but it was the only means at the time of checking a customer’s credit card quickly because there were no electronic credit verification services.

Recently we have also seen the case of the blacklist run by a cartel of construction companies that denied many hundreds of people work because of their perceived union and political leanings. Then there are also the methods of “performance management” that companies use to “RIFF” the workforce or remove those who challenge management authority.

There is clearly a grey area in these cases where the rights of the individual need to be protected and any dubious dealings by a corporation need to be exposed versus the rights of the shareholders and management not to be overly distracted by spurious and vexatious claims.

GDPR will undoubtedly shine a light into this murky corner and should result in a number of test cases based on the content of subject access requests which will also have to show what processes the “victim” has had their data used for and the duration.

Picking up on the “duration” theme it struck me as I came to write this piece that no one seems to have considered what the “right to be forgotten” means for the new generation of “Robotic/AI” systems that have some heuristic learning approaches built into them. Surely if my concrete personal data (name address etc) is going to be forgotten then also any voice recognition or behavioural data must also be deleted too !

This data will have very little client identifying content embedded within it and is probably a very dense series of bitmaps of vocal and facial picture patterns. How do these learning algorithms record the identities of the people that contributed to their knowledge base and if I happened to be the first customer to start a new learning pattern and was then “forgotten” should the robot have to relearn its knowledge ?

Clearly this means that we are going to have to record all the read and write events that relate to a piece of personal data so companies need to plan on having a very performant time series database to index these events and analyse them for instances where data that should have been forgotten is still being accessed and to record the processes that touched the data to build up a map of usage.

This can be extrapolated further to enter the complex realm of BiTemporality (i.e. What did you know and when did you know it) to deal with the challenges of enforced “Digital Dementia” when an individual’s data needs to be partially deleted because it has served its useful purpose but some most remain. It must surely be the case that the schema definition for the deleted data will need to be preserved along with its usage lifespan after the content has been erased to provide evidence to support a subject access request.

This episode has raised a number of interesting “exercises for the reader” to consider how to sufficiently describe the boundary HR processes around “performance” and planned redundancy and also for the data architect to consider how to deliver BiTemporal personal data management and subject access reporting.

In the final part of this series I will attempt to draw the discussion threads together and then try summarize what GDPR means, how to start on the journey to compliance and where useful business value can be derived rather than just grudging adoption.


Rupert Brown is CTO of The Cyber Consultants. He has an unrivalled track record over 30 years in Banking IT comprising senior Strategic and Operational roles in Frontline Application Architecture, Development and Delivery as well as ground breaking Enterprise Technology Infrastructures. This has also been complemented by similar client facing leadership roles for Information Vendors and Silicon Valley “Unicorns”. He was formerly a Chief Architect at UBS and before that served in senior roles at Bank of America Merrill Lynch, Reuters, Paribas and Morgan Stanley.

This article was first published on Linkedin Pulse on 7th March 2017 and can be found here

The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.