Seasons greetings from this unseasonably warm UK

Just a short post to both thank my clients during the last year, and for those who have noticed a lack of recent postings to assure you I am still alive.
First the thanks. After two and a half years it is good to know that there is demand for an independent analyst. As the majority of my engagements have been under very restrictive NDAs, I must be careful who I name, but you know who you are and I thank you for your business. Two I can name are Capita and AIIM both of whom have indulged my passion for Data Protection and the forthcoming EU General Data Protection Regulation in particular.
Second my focus for research and consultancy in 2016. GDPR will I believe stay top of my list, as part of the Information Management stream. In addition, despite the UK appearing to give up on renewable energy from photo-voltaic sources (solar panels), I will still be doing a lot of work on market sizing, pricing and sustainable business models, both for the UK and across Europe.
So seasons greetings to all, and all the best for 2016.
Mike

#gdpr - still keeping me busy

Following last week's AIIM webinar, I am currently early preparation for a 19 November Capita event http://bit.ly/1JSlT7O. Bit scary as representatives of the UK Information Commissioner's Office (ICO), the EU and the UK Ministry of Justice will be speaking as well. Despite delays in getting the Regulation through it is now very high on the agenda.

UK-related examples, poppy sellers being hounded for charity donations, Lloyds bank customers having their data lost by RSA, and of course all those who submitted their details to Ashley-Madison.
However, lots of challenges still out there to be addressed. Should be an informative day for speakers as well as attendees.

Update and musings

Apologies to all that I haven't been tweeting or blogging much in the last couple of months (I know you have(n't) missed me) - sadly one AR person asked was I still working!
With a number of colleagues msmd advisors has been undertaking significant number crunching around renewable energy (particularly PV - photo-voltaic) for a variety of clients. 'Top and bottom' - expect lively debate about PV in the next term of the UK parliament.
Back to the 'day job', the EU General Data Protection Directive (#GDPR) will be the focus for the autumn. Speaking for AIIM on 24 Sept (http://bit.ly/1JSlT7O)  and at a Capita conference in November. Again this could be interesting politically in the next year.
If any of the above topics have 'stimulated' your interest, check out the contact page of the msmd advisors website.

AIIM webinar on EU Data Protection 24 September

Just putting final touches to my presentation. Despite the migrant crisis, there is a lot going on at the moment across Europe on #gdpr. Somewhat ironically having GDPR in place by now, may have helped address the information flow issues which could support a 'whole Europe' policy for migrants/refugees.

Should I upgrade to Windows 10?

Recent contribution to IT Pro's missive -  http://bit.ly/1IX4v7E

“15 different types of spaghetti”

The most recent failure of UK bank RBS, and its group of companies, to process 600,000 payments, illustrates yet again the major problems underlying the IT systems of not just the banking sector, but any industry where there have been multiple, often rapid mergers and acquisitions.

One RBS executive reportedly said to the UK’s BBC that the bank’s systems we like “15 types of different spaghetti”. To my knowledge, and from my experience of the industry, that is a significant underestimate of the complexity.

RBS, before the financial crash of 2007/8, when it had to be bailed-out by the UK government to the tune of £46 billion, was for a short time the largest bank in the world. Its size came from a rapid period of acquisitions, most notably under the direction of CEO Fred Godwin, who became known as ‘Fred the shred’, reflecting the bank’s penchant for divesting itself of personnel in the newly acquired subsidiaries in order to boost profits, and thus the share price.

Sadly the rapidity of mergers and the loss of people who understood the IT systems of the acquired companies did not bode well for RBS trying to operate and report as a group.

In 2012, for several weeks, 6.5 million customers of RBS and its Nat West and Ulster Bank subsidiaries  could not use their online banking facilities, some could not make mortgage payments, and others outside the UK could not withdraw cash. This not only resulted in a loss of face and confidence, but a £56 million fine from the UK regulator.

The problem was diagnosed as software incompatibility which became apparent following a software upgrade, amplified by the fact that the bank didn’t have contingency processes in place to mitigate the problems.In December 2013 more than 1 million RBS, Nat West, and Ulster Bank customers found they could access their accounts after what appeared to be a similar failure, but with a different system.

Finally to June 2015, after the bank had reportedly spent the originally planned £2 billion on upgrading its systems, plus another £750 million, 6% of the transactions to be processed overnight failed because ‘the file could not be read properly’.

Having spent the majority of the last three years working around FINTECH, principally in the UK banking sector, I can only say I am not surprised.

Most of the major banking core back-end systems were written several decades ago, based around batch processing, are robust, well documented and supported. However, the ‘front-ends’ to those systems for on-line access, such as via the internet and latterly mobile devices, have not been built as well, and their desire for near real-time processing is fundamentally at odds with the back-end systems.Add to that RBS, like the majority of banks following mergers and acquisitions, is running multiple back and front-end systems, and has had to write ever more complex code to integrate those systems together, the numbers of different spaghetti types could be many multiples of 15.Sadly for us as bank customers RBS' recent predicament is just an example of what can (and will) go wrong.

My thoughts about RBS’ exposure to such problems are that during ‘rationalisation’ following its acquisitions, it lost much of the knowledge regarding the integration of systems within the IT systems of its subsidiaries. Furthermore integration between the systems of the business units was done tactically, and not as part of a planned strategic investment. Thus, when upgrading central and cross-business systems, not all can be tested properly before the upgrades are applied. This was compounded by a lack of mitigation plans, which could have led to a faster resolution of the resulting problems.

To be fair to RBS, it has put a ‘shed-load’ of somewhat belated investment into getting its systems together, and it put it's 'hands up' very quickly to the failure.  Another bank I worked with had a server it didn’t dare switch off, because at the time it did not know which other systems across the bank and its subsidiaries that the server’s information supported. Having looked at them all in a lot of detail, there are only two large banks I would feel confident with to handle my data, without a major mishap such as at RBS, and even those have some problems with their manual processes.

So what is the answer? Well thankfully it is already happening in the all banks reviewing/renewing their systems, and doing it in a planned and measured way. Not ‘on-the-fly’ to meet the next financial reporting date. Those in industries outside banking should not be complacent, the problems experienced by RBS are not sector specific. Need I remind my colleagues stuck in airport lounges of upgrade problems on the UK's air traffic control system, run by NATS?

Will we see a repeat of the repeat of RBS’ problems at it, or other banks, or in other industries? Yes, there are at least 350 different types of pasta in the world.

Want to use a Nest Cam in the UK? - Register with the ICO

The announcement that Google’s smart homewares firm Nest has developed a motion-activated web cam for home security purposes sounds like a neat idea for those householders about to leave on holiday, or want to know what the au pair is doing in their bedroom when they are out at work.

However, householders using the Nest Cam technology in the European Union (EU) need to be aware that any images they capture of people are regarded under 95/46/EC as personal data, and as such, those that capture the images need to register with their country’s Data Protection Authority (DPA) that they are storing personal information, and potentially in order to comply with the registration, put up signs warning people in the house that they may be subject to recording of their activities.

The new device comes from developments following the acquisition of Dropcam by Nest in 2014 (which itself had only recently been acquired by Google). Motion-activated, it streams and then records live video to Google’s servers. It then ‘alerts’ those customers and then gives them access to the recordings for 10 or 30 days, for a ‘nominal’ amount of £8 or £24 per month respectively. So that’s the technology bit.

Now the legal aspect. Under the EU Directive 95/46/EU images of people, are personal data, and as such should only be managed by a Data Custodian who can ask a Data Provider to store it on their behalf, although the Data Custodian retains ultimate responsibility for the storage, access and even loss or breach of the data.

Now the fun bit, and why we need the forthcoming EU Data Protection Regulation (#EUdataP, #gdpr) without it being watered down over the next months.

Data Protection today (UK focused)
The Data Custodian is the person/organisation capturing the personal data, so the householder, and therefore Google (with the majority of it’s servers in the US), will be the Data Provider. But with a Nest Cam, it could potentially be argued that Google via Nest is the Data Custodian, but that misses the real issue of 'informed consent' for the data to be stored.

In either circumstance, under 95/46/EU personal data captured in the EU can only be ‘exported’ outside the European Economic Area (EEA) with the explicit consent of the data subject, easy when you fill in the bank loan application, but how do you get the ‘ne’er do well’ who is taking your iPad and jewelry from your bedroom to consent that their image can be stored by a hosting provider in US?

Simple fact, you need to alert them to the fact they are being recorded. Thus a sign such as we see in many ‘public places’ in the UK, stating that images are subject to recording, and who the is Data Custodian, is probably going to be required in houses installing a Nest Cam. Furthermore, taken to the limit of the UK law, the householder needs to register with the UK Information Commissioner’s Office  (ICO) – other EU countries have their own DPA - as a Data Custodian. The reason being if you are not the Data Custodian (in the UK), and you present evidence gathered without the data subject’s consent, that may be inadmissible in court.

Do you really want a Nest Cam? Of course you do, it will be fun when the smallest child says that the dog has eaten the cheese in the fridge. But please ensure you have registered yourself as a Data Controller with the ICO.