Blockchain in a post GDPR World

Blockchain’s explosive growth has had businesses all over the globe scrambling to invest. But with GDPR fast approaching, how will an unchangeable database cope with the right to be forgotten?

How do you inflate your share price by 400% in a day? The answer is simple: add the word blockchain to your company’s name. As absurd as these figures seem, this is actually what happened last October to venture capitalist firm On-line Plc, following their decision to alter their name to On-line Blockchain Plc.

Olivia Green - Article

This shocking report is an accurate reflection of the current level of hype surrounding this new technology, with companies left, right and centre moving to adopt blockchain. A reported 57% of large UK corporations now have immediate plans to implement blockchain into their infrastructure by the end of 2018, while demand for blockchain specialists has nearly tripled in the last year alone. But while organisations have been avidly investing in this new phenomenon, they have also (rather more reluctantly) been preparing for an equally important, but slightly less exciting, development in the tech world: GDPR.

Much of the hype surrounding blockchain has been garnered because it is an immutable method of storing information- meaning that once information is loaded onto the blockchain, it cannot be edited or deleted. However, come May 2018, this unique feature may bring more pain than joy to businesses, as one of the most significant clauses in GDPR comes into effect: the right to be forgotten. This stipulates that individuals have the right to insist that organisations erase any personal information they hold on them. Apply this clause to blockchain, and the result is a non-compliant system and a £17 million fine. So what options do businesses have?

Edit the uneditable

One answer is to change blockchain itself. Accenture, for example, have recently patented an “editable” version of blockchain, which can be altered under certain circumstances by pre-ordained parties- a modification that could be easily moulded into being GDPR compliant and, at first sight, an appealingly easy solution.

However, there are some problems with this approach. As critics have pointed out, one of blockchain’s key (and unique) values is its immutability. It is this feature, making it immune to certain kinds of malicious interference such as misappropriation of assets or fraudulent financial reporting, that gives it so much appeal. By allowing even the possibility of interference, its trustworthiness as an absolute source of information is diminished. For organisations such as banks and other financial institutions, who are anxious to utilise the power of blockchain to build trust and protect against this kind of interference, an “editable blockchain” is unlikely to be a satisfactory solution.

Legal loopholes

For those who are either unwilling or unable to adopt an editable model, legal solutions may be sufficient. GDPR itself offers no explanation as to what “erasure” actually constitutes, and, while this might seem obvious at first sight, it could be an opportunity.  In the past, for example, some authorities have ruled that encryption can legally be equal to deletion- that is, if data is irreversibly encrypted, it is considered to be erased.  It is possible to apply mechanisms like this to data stored on blockchain, via encrypting pieces of data and then “losing” the decryption key- effectively meaning that the information can never be read.

However, this is a risky solution for organisations. As the data is not actually deleted in this process, but simply rendered inaccessible, it may be vulnerable to future technological developments able to break into its encryption (quantum computing, for example). With this in mind, it is likely that European authorities will insist on a strictly all-or-nothing interpretation of data deletion- meaning that relying on mechanisms such as encryption to achieve compliance would be dangerous.

Going off-grid

If neither of these options suffices, businesses can take a more extreme route: remove personal data from the blockchain completely. This does not necessarily mean disposing of blockchain too- one possible workaround, described in more depth here, reduces blockchain to a simple “access control medium”; instead of storing personal information on the chain, links to external databases containing said information can be placed in blocks. As the rules of blockchain no longer apply in these external databases, any information stored like this could be freely deleted or changed at will. The benefits of this approach are clear- it allows for full, uncontested erasure of data, while still retaining some of the functionality of blockchain.

However, as with other options, this is still not a wholly satisfying solution. It creates an inefficient, complex process, and reduces transparency over who is accessing personal data and how- paradoxically creating even more hurdles to GDPR compliance, which also requires that organisations must have accessible and transparent processes for data management. Additionally, removing data from the immutable environment of blockchain gives rise to the same problems faced by Accenture’s “editable blockchain”; external databases can be altered or subjected to fraudulent interference, and so the trustworthiness of the system is undermined.

An uncertain future

So where does this leave organisations who use blockchain? The answer, at this stage, is frustratingly unclear. Every solution detailed above involves either sacrificing the functionality (and benefits) of blockchain or risking the security of personal data. The latter is hardly an attractive option, and if organisations must transform the blockchain beyond recognition to become compliant with GDPR, it begs the question- what is the point in using the blockchain at all? Yet it is hardly practical for authorities to demand that organisations simply stop using blockchain, given its soaring popularity, proven benefits and widespread adoption.

In ethical terms, Blockchain’s immutability is a paradox: on the one hand, it helps to prevent corruption, fraud and theft; on the other, it removes the individual’s rights over his or her personal information. This paradox makes it a complicated system to legislate effectively for, and the current tensions are symptomatic of lawmakers’ struggles to keep up with new developments in the fast-paced and ever-changing world of technology. In this case, it may not just be businesses that need to adapt; legislators too may need to take an iterative and flexible approach to GDPR.

Come May 2018, reconciling GDPR and blockchain will likely be just one challenge among many for both corporations and legislators. Yet as blockchain becomes ever more tightly wound into the infrastructure of major organisations around the globe, it is not a challenge that either can afford to ignore.

The Apple of my AI – GDPR for Good

Artwork by @aga_banach

Our common perception of machine learning and AI is that it needs an immense amount of data to work. That data is collected and annotated by humans or IoT type sensors to ensure the AI has access to all the vast information it needs to make the correct decisions. With new regulations to protect stored personal data like GDPR, does this mean AI will be at a disadvantage from the headache on restrictions for IoT and data collection? Maybe not!

What is GDPR and why does it matter?

For those who are outside of the European Union, GDPR (General Data Protection Regulation) is designed to “protect and empower all EU citizens data privacy”. Intending to return the control of personal data to individual citizens, it grants powers like requests for all data a business holds on them, a right to explanation for decisions made and even a right to be forgotten. Great for starting a new life in Mexico but will this impact on how much an AI can learn due to the limiting of information?

What’s the solution?

A new type of black box learning means we may not need human data at all. Falling into the category of ‘deep reinforcement learning’, we are now able to create systems which achieve super human performance in a fairly broad spread of domains. AIs are able to generate all training data themselves from simulated worlds. The poster-boy of this type of machine learning is AlphaZero and its derivatives from Google’s Deep Mind. In 2015 we saw the release AlphaGo which demonstrated the ability for a machine to become better than a human in a 5–0 victory against Go (former) champion Mr Fan Hui. AlphaGo reached this level by using human generated data of recorded professional and amateur games of Go. The evolution of this however was to remove the human data with AlphaGo Zero, beating its predecessor AlphaGo Lee 100:0 using 1/12th the processing power over a fraction of the time, and without any human training data. Instead AlphaGo Zero generated its own data by playing games against itself. While GDPR could force a drought of machine learning data in the EU, simulated data from this kind of deep reinforcement learning could re-open the flood gates.

Playing Go is a pretty limited area (though AlphaZero can play other board games!) and is defined by very clear rules. We want machine learning which can cover a broad spread of tasks, often in far more dynamic environments. Enter Google… again… Or rather Alphabet, the parent company of Google and their self-driving car spinoff Waymo. Level 4 and 5 autonomous driving presents a much more challenging goal for AI. In real time the AI needs to categorise huge numbers of objects, predict their paths in the future and translate that into the right control inputs. All to get the car and it’s passengers where they need to be on time and in one piece. This level of autonomy is being pursued by both Waymo and Tesla, but seemingly Tesla gets the majority of the press. This has a lot to do with Tesla’s physical presence.

Tesla has around 150,000 cars on the road equipped and boasted over 100 million miles driven by AutoPilot by 2016. This doesn’t even include data gathered while the feature is not active or more recent data (which I am struggling to find — if you know please comment below!). Meanwhile Waymo has covered a comparatively tiny 3.5 million real world miles, perhaps explaining the smaller public exposure. Google thinks it has the answer to this, again using deep reinforcement learning, meaning that their vehicles have driven billions of miles in their own simulated worlds, not using any human generated data. Only time will tell whether we can build a self-driving car, which is safe and confident on our roads alongside human drivers without human data and guidance in the training process. The early signs for deep reinforcement learning look promising. If we can do this for driving, what’s to say it can’t work in many other areas?

Beyond being a tick in the GDPR box there are other benefits to this type of learning. DeepMind describes human data as being ‘too expensive, unreliable or simply unavailable’, the second of these points (with a little artistic license) is critical. Human data will always have some level of bias, making it unreliable. On a very obvious level, Oakland Police Department’s ‘PredPol’, a system designed to predict areas of crime to dispatch police, trained on historical and biased crime data. It resulted in a system which dispatched police to those same historical hotspots. It’s entirely possible that just as much crime was going on in other areas, but by focusing its attention on the same old area and turning a blind eye to others the machine struggled to break human bias. Even when we think we’re not working on an unhealthy bias our lives are surrounded by unconscious bias and assumptions. I make an assumption each time I sit down on this chair that it will support my weight. I no doubt have a bias towards people similar to me, believing that we could work towards a common goal. Think you hold no bias? Try this implicit association test from Harvard. AlphaGo learned according to this bias, whereas AlphaGo Zero had no bias and performed better. Looking at the moves the machine made we tend to see creativity, a seemingly human attribute in its actions, when in reality their thought processes may have been entirely unlike human experience. By removing human data and therefore our bias machine learning could find solutions in possibly any domain which we might never have thought of, but in hindsight appear a stroke of creative brilliance.

Personally I still don’t think this type of deep reinforcement learning is perfect, or at least the environment it is implemented in. Though the learning itself may be free from bias, the rules and play board, be that a physical game board or rather road layout, factory, energy grid or anything else we are asking the AI to work on, is still designed by a human meaning it will include some human bias. With Waymo, the highway code and road layouts are still built by humans. We could possibly add another layer of abstraction, allowing the AI to develop new road rules or games for us, but then perhaps they will lose their relevance to us lowly humans who intend to make some use from the AI.

For AI, perhaps we’re beginning to see GDPR as an Apple in the market, throwing out the old CD drive, USB-A ports or even (and it still stings a little) headphone jacks, initially with consumer uproar. GDPR pushing us towards black box learning might feel like we’re losing the headphone jack a few generations before the market is ready, but perhaps it’s just this kind of thing that creates a market leader.

Regulation and compliance: the new certainties in life

by Miles Elliott, Director of Credit Risk

Benjamin Franklin once wrote that ‘in this world nothing can be said to be certain except death and taxes’. But in these more modern times, especially for financial services organisations – we should perhaps add ‘regulation and compliance’ to the list. In 2018, a wave of new regulation is being introduced – and one of the most far reaching is the General Data Protection Regulation (GDPR).

GDPR: are you ready…?

From 25 May 2018, organisations across Europe will have to strengthen controls associated with collecting, managing and using personal data. Resulting activity will see significant changes to IT systems as well as the way organisations engage with their customers.

There’s less than a year to go until GDPR becomes a way of life, but a survey in May 2017 suggested that only 10% of organisations have mature GDPR plans in place – with a further 40% at an intermediate phase.

That leaves half of organisations at the beginning of their compliance journey – and the clock is ticking!

GDPR: the cost of non-compliance…

Becoming fully GDPR compliant will be challenging and will require a holistic approach to data management and governance. Organisations run the risk of failing to respond to the scope of activity involved and the amount of time needed to ensure compliance. Another common issue is the lack of skills and experience to deliver such a comprehensive change to governance controls across a business. To put this into context, in 2016 alone there were 1.4 billion data breaches across the industry.

Fines for failing to comply with GDPR are expected to be highly penal as well as leading to material reputational damage.

Don’t go it alone – work with an expert in assured compliance

So what should today’s hard-pressed organisations do, especially if they don’t understand the full extent of GDPR?  The answer is to work with an organisation like Sopra Steria that’s got a track record in complex data management AND offers a ‘comprehensive’ approach to GDPR compliance. Our pragmatic ‘think, build and run’ approach empowers organisations to pick and choose the path to GDPR compliance that is right for them. As experts in Data, Analytics and Technology, we can help you quickly identify data gaps and risks, work with you to develop remediation solutions and support you moving forward with on-going compliance monitoring.

The clock is ticking…

So don’t get caught out! Make sure you aren’t one of the 50% of companies still asking “What is this GDPR”?  Take your first steps today to GDPR compliance and get fully prepared for the 2018 deadline. Remember, 2018 is the year of new regulation – make sure it’s a happy one!

See more information about how we can help you get compliant.

Get in touch to discuss how to meet your GDPR challenge and support your journey to assured compliance.

Why regulatory compliance offers a win-win situation

by Tej Sembi, Business Development Sopra Steria

A number of scandals in recent years, like the flawed reporting of hip replacement devices leading to huge compensation payouts and fines, suggest that the medical device industry has a problem. Do the big players really care? Well, with the work we have been doing shows that all concerned in this industry do care – patient safety is their number one concern.

The world of regulation is changing and catching up with technology. New standards and medical device directives are being introduced worldwide – from the US, to the UK, Europe and beyond. These make it clear that the industry must behave more responsibly. For example, ISO 13485 2016 extends the previous edition of the quality management system requirements for medical devices and risk.

A driver for differentiation

While this is clearly great news for the end user, there is also another positive outcome from these changes. I believe new regulatory regimes present a fantastic opportunity for medical device and implant companies to radically change the way they use and interpret product data to provide business benefit. In fact, with the right mindset, they represent a driver for differentiation and increased competitiveness.

Let me explain. Companies have to comply with the legislation, which means that they are committed to spending in this area, so does it not make sense to maximise this investment?  The data will need to be collated and managed, so why not look at how it is also used by other business areas and tap into this much underused resource?

On average, companies are said to base decisions on around 20% of available data so what could be achieved if they could harness more? These untapped sources of data contain a whole myriad of information.  Complying with the new regulations will give companies the opportunity to have better visibility and control over clinical outcomes and supporting data which could be used across the organisation to enhance patient safety, improve portfolio management, and improve sales and marketing alongside its vital role of compliance.

Reducing exposure to risk

Ultimately the right solution to the compliance challenge should deliver a better understanding of  customer/patient needs and outcomes, gaining clarity of validation, verification and design activities and support the prediction of product lifecycles in terms of maintenance, performance, end-of-life and potential usage-based issues or damage.

The more an organisation knows about each of these areas of its business, the better able it will be to reduce the company’s exposure to litigation, improve operational efficiencies and sales opportunities and, crucially, enhance product development and patient outcomes.

Thus, regulatory compliance becomes a win-win situation all round: healthcare providers have confidence in the efficacy of the medical devices they procure, patients trust that the devices they depend on are safe and robust and manufacturers gain the customer and product insight they need to differentiate and protect their brand reputation.

What do you think, am I mad to suggest compliance is really an opportunity? Leave a reply below, or contact me by email, I’d love to hear your thoughts.

Always-on, always prepared: the cyber security questions Financial Services organisations need to ask

Financial institutions continue to grapple with the ever increasing complexities of cyber security. As online services across all channels grow, so does the security risk. The underlying questions are – how do organisations modernise the legacy platforms that were not designed for the open, connected world of today’s demanding consumer base, and provide the services and interfaces in a secure manner?

The continual growth and competitiveness in digital services continues to disrupt the market. Whether they like it or not, financial firms and their customers will always be seen as targets and those that take this lightly, or avoid the gravitational pull of online services due to security concerns, will be left behind.

That being said, many organisations are trying to put the right protection in place. The key responses to any security incident are monitoring, reacting and remediating. We have seen from recent breaches that the way that a financial institution reacts and addresses its customers that have been affected can make all the difference. Admitting that a security breach has happened is never easy but your customers are more likely to stay loyal to your brand if you openly discuss the security breach, what information or even money was taken and the remedial activities that you are promptly taking.

Open Banking is getting closer – are you ready?

This August, the Competition and Markets Authority published the final report on its retail banking market investigation. By requiring banks to implement Open Banking by 2018, it has reinforced the UK’s transition to a transformed banking landscape based upon a foundation of Open Banking. While certainly a positive step, Open Banking raises more questions around security. Financial institutions need to look at the security around their APIs, covering both internal and external protection layers – what data is exposed through the APIs, and who may be calling the API? In moving to this new world, what competencies in the organisation exist to create and test these new services? The IT organisation that was designed around creation of services for a customer must now address service management and governance of an estate that exists in a digital always-on connected ecosystem of consumer and business relationships.

Data and information are new focal points for the industry, and this is being highlighted by the new General Data Protection Regulation (GDPR) which will be introduced in 2018. The days have gone where we have one, two or three front doors. We now have multiple connections in and out of networks with services being hosted in cloud, hybrid and SaaS services.

Do you know where your information assets sit – especially your most critical and vital assets?

General Data Protection Regulation – honesty and openness

Looking to 2017 and 2018, notification of breaches will look quite different for a large number of financial institutions. Unlike the directive in the Data Protection Act which was silent on the issue of data breach, GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

This notification to the authority must “at least”:

  1. Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
  2. Provide the data protection officer’s contact information
  3. Describe the likely consequences of the personal data breach
  4. Describe how the controller proposes to address the breach, including any mitigation efforts.If not all information is available at once, it may be provided in phases.

The last sentence will undoubtedly give some pause for consideration and needs to be thought through. Whilst being open and honest with customers following a breach is essential, how much information is satisfactory to release, and under what circumstances should some information be held until the precise nature of method and impact is understood?

We find ourselves in an information conundrum. We know that open and honesty following a breach are important, but that full clarity on a situation is not always instantly available. Security breaches can take place and it can take time before a complete story is put together – but the longer it takes, the greater the concerns from customers that a security breach is not being effectively managed. It’s why it is essential to prepare in advance and have processes in place in the event of a breach. Testing of these plans and creating play books of certain scenarios is something a lot of organisations are doing.

Criminals work at Christmas

Financial organisations have had to adjust to the requirements of their customers who want services online 24/7. We have seen high street financial institutions opening at weekends, evenings and even Sundays. The world of internet banking allows customers to access financial systems all day, every day.

On the other side of the coin, cyber criminals don’t mind at working weekends, holidays or Christmas Day. An organisation’s incident plan needs to be able to react to whatever, whenever, and in a way that is adequate to develop one or a number of alternative approaches. The Security Operations Centre (SOC) needs to be sufficiently resourced with access to on-call technical expertise, and they in turn need to be able to have access to evidence and activities.

Most people feel confident that their SOC is 24/7 – but it goes further than this. Imagine that you have had a breach on Christmas Day. Can you pull together a legal representative, someone who can talk to the press, the CEO and other important members of staff within your organisation?

We all have business continuity plans and disaster recovery plans, but it’s time we started thinking about security incident response plans that are truly organisational wide.

If you’re interested in finding out more about our Cyber Security offerings you can visit our website, or email us at info.uk@soprasteria.com.

This blog was first published on Finextra.com, 11 November 2016

Digital at scale: how digital can transform business

If you spend time at pretty much any tech company, from startups to big corporates, you’re likely to hear the word ‘digital’ a bit too much.  Some people are doing it, some are making their journey towards being more digital and others are still struggling to define what exactly it is, and in many ways, it’s that final category that have the most honest answer to the question – What is digital?  And this is what experts from the technology and financial services industry discussed during a recent seminar at London Technology Week.

It’s easy to define digital as being about technologies – that digital is at its core the binary ‘0’s and ‘1’s, on and off and all the brilliant devices and interfaces that have spawned out of it.  While that’s not entirely wrong, it paints a picture that everything digital is very clean cut, with a definite right and wrong answer that follows any question – but the truth is very different.  The technologies are far from a constant, and everything from the technology chosen to the implementation will change not only for different demographics but from person to person, and will adapt to their current situation, desires, needs and moods.  Technology then, is transient, and to be truly digital you must be open to constant and relentless change, throwing away technology, processes and ways of working constantly, and ensuring that the new tool adopted is chosen intelligently, to be the best tool for the job, and the most commercially viable solution.

This however all sounds like the territory of startup businesses.  Businesses that are new to the scene, or with very flexible business models are often far more adept to change as they do not have the long-standing commitments to clients, legacy platforms and some of the regulatory requirements of their big corporate counterparts.  Some may suggest that these big corporates should simply throw away the legacy platforms, circumvent the regulation and transform their clients, and noble though that may be, it’s a fool’s errand.  For these businesses, what they really need is to find a way to take advantage of new technology, whatever that may be, and develop systems that allow them to adapt to change which work alongside and complement their legacy ‘technological debt’ and support their regulatory requirements rather than dispose of them. This is digital at scale.

Put simply, digital at scale explores how businesses can leverage digital, be it technology, ways of working or any other idea that comes under the umbrella of digital to transform their business, supporting existing technologies, commitments and regulation where appropriate, and disposing of them where necessary.

Sopra Steria’s MiFID II project with the FCA is an example of where digital at scale has been implemented. For all the businesses that are wary of how technologies like cloud and open source could work in a highly regulated environment, there’s no better example than that of the regulator itself adopting these technologies.  The MiFID II regulatory support service is built for the cloud, ingesting, processing and persisting files on AWS, with innovative open source platforms like Cassandra and Spark ensuring that all submissions are processed quickly and with an extremely high degree of accuracy, with an architecture that supports changes should a specific client or geography require, like private vs public cloud or separate technology components.  What is particularly profound about this solution though is how it backs into and supports the legacy environment, through a simple FTP gateway, ensuring that the wealth of historical data is utilized and, as is so important in an environment like this, remembered with a system that can speak both the languages of the old and the new into the future, maintaining a stream of communication regardless of changes made on either end.

The MiFID II platform is only one example of these principles put to work, and though the distant future might see us living in a fully digital world we must be conscious today that whether we transition fast or slowly, we must do so safely too, and with a strong commercial focus to build not simply small digital players, but truly successful enterprises with digital at scale.

Find out more about our FCA Market Data Processing project and Sopra Steria’s #intelligentdigital campaign.

Challenger banks have challenges of their own

If you think that the UK’s High Street banks have had it tough over the last few years, spare a thought for the new kids on the block…

Sure, the big 4 have had to deal not only with the credit crunch, product mis-selling, systems failures and outages, increased regulation, the CMA, the FCA and new regulations such as MiFid II and soon – very soon – PSD2, where all banks will have to allow access to their customer account information to third parties via open APIs. But they now also have to deal with nimble start-ups with appealing propositions who can cherry pick the most attractive and most profitable customers and offer them a well thought-out product set with excellent – and targeted – customer service. Or even just a single product, one that has been honed and finely tuned to satisfy a specific market demand, be it the highest-paying savings account or a transactional account with all the bells and whistles but without the so last century chequebook. And what’s even worse for the High Street banks is that they have to try and compete with these start-ups – or upstarts – using a creaking legacy infrastructure which isn’t fit for purpose in the digital age.

So it’s really an unfair fight, isn’t it? It’s as if the High Street banks are playing with a marked deck, or with one arm tied behind their back, while the Challengers hold all the high cards and can pick off the incumbents at will, much like Monty Python’s King Arthur fighting the Black Knight. Or is it….?

While the incumbents have had to contend with IT systems which were developed in the 1970s, around the time of the widespread deployment of ATMs and when internet banking wasn’t even a twinkle in the eye of Tim Berners-Lee, the Challengers DREAM of having an IT infrastructure to fall back on, or a data centre, or even a Call Centre. Mostly, they have an idea and a target market to go after but they lack the systems and services wherewithal to realise their ambitions. They often have to rely on a systems provider who gets them part of the way to their goal, but who lacks the Business Intelligence and Analytics component or the Business Processes support capability needed to create a comprehensive systems solution.

This means that Challengers have to partner with a number of other providers to realise their goal of an integrated, seamless IT and services offering to support their customer and product ambitions, mostly with a set of components which are not quite as integrated as they would like and where information exchange and a single customer view is far from seamless. In short, they tend to end up with a “legacy infrastructure of the future”, instead of a flexible, upgradeable solution that moves with the times and has built-in future-proofing – which is really how all such systems should be designed and implemented today.

So, the Challenger Banks might be nimble in terms of product development and responsive in terms of customer service but, in reality, their supporting IT solutions can sometimes be as much of a patchwork as an incumbent’s legacy infrastructure, although carefully concealed behind the veneer of a digital front end and a slick mobile app. Not so much a state-of-the-art solution, more of a dead parrot. That’s quite a challenge…

What are your views? Do you think the Challengers have it easy? Are they about to eat the incumbents’ lunch? Or are they faced with exactly the same infrastructure problems and integration issues as their bigger and older competitors? Please leave your comments below or contact me by email.

My blog was originally posted in Finextra on Wednesday 29 June to coincide with the press announcement of Sopra Steria as digital partner of choice for the new UK challenger bank “The Services Family”.