Guest Blog /

“Digitizing” GDPR in Financial Services – Part 6 – Supervisory Authorities

Corix Partners guest blog banner

Two events this week have crystallised my thoughts for this part of the GDPR blog.

< Note: This article was first published on Linkedin Pulse on 1st March 2017 and can be found here>

Firstly I visited a RegTech conference and was buttonholed in the trade show area by a company proudly claiming that they had built their product as the result of a “hackathon” sponsored by the Financial Conduct Authority in the UK. A cursory inspection of their efforts revealed that they had produced a website with rather anaemic sans serif fonts that consumed data from another upstream Reg Tech service and then added a rather lightweight pseudo-semantic linkage between the core content and some mocked up on-premise data. This new layer would have to be recoded for each customer they engaged with, frankly the resultant “product” could not materially improve the compliance efforts of any organisation that was suckered into buying it.

The conference was also notable for the amount of issues highlighted by panellists around consistency of regulatory reporting data and the lack of viable identity schemes and content taxonomies that make the submissions meaningful and actionable. Brexit supporters also had a wry chuckle when a presenter from the European Commission announced another “review” and “initiative” to promote better “harmony” across the range of regulatory taxonomies.

The second catalyst for this edition of the blog pinpoints the real issues at stake not only for GDPR but also a wider portfolio of information content and technology infrastructure regulations.

As part of a bid submission to improve operational efficiency I have been examining part of the IT asset register of a Tier 2 International Bank. If the contents of the extract I have been provided with are to be believed then the institution has lost all knowledge of its IT estate. Simply put it would appear not to know a) What it has got, b) Where it is and c) How it is put together. There can only be one outcome from this discovery which involves a resignation letter in the top draw of the CIOs desk, a glass of whisky and the phrase “Sorry Carruthers – you know what to do old chap”.

It should be patently obvious to the reader from the two events above that the regulators seem to be “fiddling while Rome burns”; a basic spot hygiene inspection regime is needed to check the integrity of IT asset data across all corporations – very much akin to my note in the last blog entry about consistent watermarking/barcoding of subject data along its supply chain.

As an industry we need to get away from the “digital transformation” dandruff-like slogans that now litter the corporate landscape and the froth that hackathons and other random coding activities are producing. Practitioners must realise that effective implementation and enforcement of GDPR will result in the reduction of the variety of IT platforms and data interchanges rather than their haphazard proliferation by cookie cutting another GitHub site.

All the above probably sounds like a rather curmudgeonly combination of UK talent show judges Craig Revell-Horwood and Simon Cowell but the brutal truth is that we lack the real tools and techniques to measure and manage the explosion of always on always connected mobile devices and the relationships to their host datacentres.

That is where the opportunity lies for today’s aspiring IT practitioners and the regulators – there is plenty of work to be done, it may not be glamorous but it is clearly necessary as this week’s events have shown.

So it is time now for this posting’s “Exercise for the Reader” – go and look at the “age” of the entries in your company’s IT asset register – does every move and change get accurately reported or is the content just the results of a sweep activity that was triggered the last time someone looked too closely at it. You can’t run a supermarket or an online shopping site without accurate inventory – yet the underlying IT estate is often not managed the same way.


Rupert Brown is CTO of The Cyber Consultants. He has an unrivalled track record over 30 years in Banking IT comprising senior Strategic and Operational roles in Frontline Application Architecture, Development and Delivery as well as ground breaking Enterprise Technology Infrastructures. This has also been complemented by similar client facing leadership roles for Information Vendors and Silicon Valley “Unicorns”. He was formerly a Chief Architect at UBS and before that served in senior roles at Bank of America Merrill Lynch, Reuters, Paribas and Morgan Stanley.

This article was first published on Linkedin Pulse on 1st March 2017 and can be found here

The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.