Seasons greetings from this unseasonably warm UK

Just a short post to both thank my clients during the last year, and for those who have noticed a lack of recent postings to assure you I am still alive.
First the thanks. After two and a half years it is good to know that there is demand for an independent analyst. As the majority of my engagements have been under very restrictive NDAs, I must be careful who I name, but you know who you are and I thank you for your business. Two I can name are Capita and AIIM both of whom have indulged my passion for Data Protection and the forthcoming EU General Data Protection Regulation in particular.
Second my focus for research and consultancy in 2016. GDPR will I believe stay top of my list, as part of the Information Management stream. In addition, despite the UK appearing to give up on renewable energy from photo-voltaic sources (solar panels), I will still be doing a lot of work on market sizing, pricing and sustainable business models, both for the UK and across Europe.
So seasons greetings to all, and all the best for 2016.
Mike

#gdpr - still keeping me busy

Following last week's AIIM webinar, I am currently early preparation for a 19 November Capita event http://bit.ly/1JSlT7O. Bit scary as representatives of the UK Information Commissioner's Office (ICO), the EU and the UK Ministry of Justice will be speaking as well. Despite delays in getting the Regulation through it is now very high on the agenda.

UK-related examples, poppy sellers being hounded for charity donations, Lloyds bank customers having their data lost by RSA, and of course all those who submitted their details to Ashley-Madison.
However, lots of challenges still out there to be addressed. Should be an informative day for speakers as well as attendees.

Update and musings

Apologies to all that I haven't been tweeting or blogging much in the last couple of months (I know you have(n't) missed me) - sadly one AR person asked was I still working!
With a number of colleagues msmd advisors has been undertaking significant number crunching around renewable energy (particularly PV - photo-voltaic) for a variety of clients. 'Top and bottom' - expect lively debate about PV in the next term of the UK parliament.
Back to the 'day job', the EU General Data Protection Directive (#GDPR) will be the focus for the autumn. Speaking for AIIM on 24 Sept (http://bit.ly/1JSlT7O)  and at a Capita conference in November. Again this could be interesting politically in the next year.
If any of the above topics have 'stimulated' your interest, check out the contact page of the msmd advisors website.

AIIM webinar on EU Data Protection 24 September

Just putting final touches to my presentation. Despite the migrant crisis, there is a lot going on at the moment across Europe on #gdpr. Somewhat ironically having GDPR in place by now, may have helped address the information flow issues which could support a 'whole Europe' policy for migrants/refugees.

Should I upgrade to Windows 10?

Recent contribution to IT Pro's missive -  http://bit.ly/1IX4v7E

“15 different types of spaghetti”

The most recent failure of UK bank RBS, and its group of companies, to process 600,000 payments, illustrates yet again the major problems underlying the IT systems of not just the banking sector, but any industry where there have been multiple, often rapid mergers and acquisitions.

One RBS executive reportedly said to the UK’s BBC that the bank’s systems we like “15 types of different spaghetti”. To my knowledge, and from my experience of the industry, that is a significant underestimate of the complexity.

RBS, before the financial crash of 2007/8, when it had to be bailed-out by the UK government to the tune of £46 billion, was for a short time the largest bank in the world. Its size came from a rapid period of acquisitions, most notably under the direction of CEO Fred Godwin, who became known as ‘Fred the shred’, reflecting the bank’s penchant for divesting itself of personnel in the newly acquired subsidiaries in order to boost profits, and thus the share price.

Sadly the rapidity of mergers and the loss of people who understood the IT systems of the acquired companies did not bode well for RBS trying to operate and report as a group.

In 2012, for several weeks, 6.5 million customers of RBS and its Nat West and Ulster Bank subsidiaries  could not use their online banking facilities, some could not make mortgage payments, and others outside the UK could not withdraw cash. This not only resulted in a loss of face and confidence, but a £56 million fine from the UK regulator.

The problem was diagnosed as software incompatibility which became apparent following a software upgrade, amplified by the fact that the bank didn’t have contingency processes in place to mitigate the problems.In December 2013 more than 1 million RBS, Nat West, and Ulster Bank customers found they could access their accounts after what appeared to be a similar failure, but with a different system.

Finally to June 2015, after the bank had reportedly spent the originally planned £2 billion on upgrading its systems, plus another £750 million, 6% of the transactions to be processed overnight failed because ‘the file could not be read properly’.

Having spent the majority of the last three years working around FINTECH, principally in the UK banking sector, I can only say I am not surprised.

Most of the major banking core back-end systems were written several decades ago, based around batch processing, are robust, well documented and supported. However, the ‘front-ends’ to those systems for on-line access, such as via the internet and latterly mobile devices, have not been built as well, and their desire for near real-time processing is fundamentally at odds with the back-end systems.Add to that RBS, like the majority of banks following mergers and acquisitions, is running multiple back and front-end systems, and has had to write ever more complex code to integrate those systems together, the numbers of different spaghetti types could be many multiples of 15.Sadly for us as bank customers RBS' recent predicament is just an example of what can (and will) go wrong.

My thoughts about RBS’ exposure to such problems are that during ‘rationalisation’ following its acquisitions, it lost much of the knowledge regarding the integration of systems within the IT systems of its subsidiaries. Furthermore integration between the systems of the business units was done tactically, and not as part of a planned strategic investment. Thus, when upgrading central and cross-business systems, not all can be tested properly before the upgrades are applied. This was compounded by a lack of mitigation plans, which could have led to a faster resolution of the resulting problems.

To be fair to RBS, it has put a ‘shed-load’ of somewhat belated investment into getting its systems together, and it put it's 'hands up' very quickly to the failure.  Another bank I worked with had a server it didn’t dare switch off, because at the time it did not know which other systems across the bank and its subsidiaries that the server’s information supported. Having looked at them all in a lot of detail, there are only two large banks I would feel confident with to handle my data, without a major mishap such as at RBS, and even those have some problems with their manual processes.

So what is the answer? Well thankfully it is already happening in the all banks reviewing/renewing their systems, and doing it in a planned and measured way. Not ‘on-the-fly’ to meet the next financial reporting date. Those in industries outside banking should not be complacent, the problems experienced by RBS are not sector specific. Need I remind my colleagues stuck in airport lounges of upgrade problems on the UK's air traffic control system, run by NATS?

Will we see a repeat of the repeat of RBS’ problems at it, or other banks, or in other industries? Yes, there are at least 350 different types of pasta in the world.

Want to use a Nest Cam in the UK? - Register with the ICO

The announcement that Google’s smart homewares firm Nest has developed a motion-activated web cam for home security purposes sounds like a neat idea for those householders about to leave on holiday, or want to know what the au pair is doing in their bedroom when they are out at work.

However, householders using the Nest Cam technology in the European Union (EU) need to be aware that any images they capture of people are regarded under 95/46/EC as personal data, and as such, those that capture the images need to register with their country’s Data Protection Authority (DPA) that they are storing personal information, and potentially in order to comply with the registration, put up signs warning people in the house that they may be subject to recording of their activities.

The new device comes from developments following the acquisition of Dropcam by Nest in 2014 (which itself had only recently been acquired by Google). Motion-activated, it streams and then records live video to Google’s servers. It then ‘alerts’ those customers and then gives them access to the recordings for 10 or 30 days, for a ‘nominal’ amount of £8 or £24 per month respectively. So that’s the technology bit.

Now the legal aspect. Under the EU Directive 95/46/EU images of people, are personal data, and as such should only be managed by a Data Custodian who can ask a Data Provider to store it on their behalf, although the Data Custodian retains ultimate responsibility for the storage, access and even loss or breach of the data.

Now the fun bit, and why we need the forthcoming EU Data Protection Regulation (#EUdataP, #gdpr) without it being watered down over the next months.

Data Protection today (UK focused)
The Data Custodian is the person/organisation capturing the personal data, so the householder, and therefore Google (with the majority of it’s servers in the US), will be the Data Provider. But with a Nest Cam, it could potentially be argued that Google via Nest is the Data Custodian, but that misses the real issue of 'informed consent' for the data to be stored.

In either circumstance, under 95/46/EU personal data captured in the EU can only be ‘exported’ outside the European Economic Area (EEA) with the explicit consent of the data subject, easy when you fill in the bank loan application, but how do you get the ‘ne’er do well’ who is taking your iPad and jewelry from your bedroom to consent that their image can be stored by a hosting provider in US?

Simple fact, you need to alert them to the fact they are being recorded. Thus a sign such as we see in many ‘public places’ in the UK, stating that images are subject to recording, and who the is Data Custodian, is probably going to be required in houses installing a Nest Cam. Furthermore, taken to the limit of the UK law, the householder needs to register with the UK Information Commissioner’s Office  (ICO) – other EU countries have their own DPA - as a Data Custodian. The reason being if you are not the Data Custodian (in the UK), and you present evidence gathered without the data subject’s consent, that may be inadmissible in court.

Do you really want a Nest Cam? Of course you do, it will be fun when the smallest child says that the dog has eaten the cheese in the fridge. But please ensure you have registered yourself as a Data Controller with the ICO.

A Blackberry lollipop? - yes please

I don’t normally stray into the world of mobile devices, but the widely reported news that Blackberry’s next smartphone will run on Google’s Android OS rather than its own proprietary software is something to take notice of.
This is a very logical move following the development of Business Enterprise Server 12 (BES12) to manage enterprise mobile devices running on iOS, Windows Phone, or Android. Furthermore, back in February the company extended the server to work with devices running Android Lollipop.
From its inception Blackberry has been focused on the enterprise and with Enterprise Server has been the CIO/CTOs favoured ecosystem for mobile enterprise communications ever since.

However, despite the strength and maturity of its own OS and the associated software (IMHO the Blackberry Playbook was a great device), it has lost market share most notably to iPhones and the diverse range of smartphones running Android. Latest reports indicate the it only has 1.5% of the US market for new devices. With Microsoft now also offering credible enterprise-ready mobile devices, the writing is not just on the wall for Blackberry, but the ceiling and floor as well.

When Blackberry started as Research In Motion (RIM) it had to build it’s own devices and OS, nothing else was up to the security requirement of enterprise (particularly government) organisations.
Whilst I don’t expect an overnight drop in the (still amazingly common) sight of executives putting an iPhone or Samsung next to a Blackberry on the table at meetings, this is a useful announcement for the CIO/CTO, still juggling the three balls of mobile enterprise security, user preference and Bring Your Own Device (BYOD).

IT Pro Panel on the Internet of Things (IoT)

I was invited to contribute my sixth-penneth to the debate around security. Nice to be in such good company.
Next Panel will be on Windows 10.

Channelnomics Webcast

                                                      

Took part in an interesting debate representing AIIM on new security challenges including EUGDPR alongside Mark Oakton, Chief Executive, Infosec Partners; Alan Ryan, Security Practice Director, MTI Technology;Omer Wilson, EMEA Marketing Director, Digital Realty and Tom Owen, Security Manager, Memset. 

Was a bit hot under the lights (I didn't need that tee-shirt).

Link to the download: http://bit.ly/1J68nSG

Link to the player:      http://bit.ly/1HQhcP7

EU GDPR – it's not in the 'long grass'

David Smith, Deputy Commissioner and Director of Data Protection  at the UK Office of the Information Commissioner, recently penned a helpful blog post on the current position of the forthcoming EU General Data Protection Regulation (GDPR).

Whilst it explains why the delay, giving a little more ‘breathing space’ for organisations, some of which msmd advisors is currently supporting,  to get their ‘house in order’, it does also hold out for an early 2016 adoption, and thus organisations will have to be compliant by 2018.

Given that many regulated organisations are foreseeing  a raft of other ‘initiatives’ dropping on them in the next two years, msmd advisors counsel is still to start preparing now.

Rural broadband – it’s not rocket science

As I walk through my small country village, I see new green cabinets installed by the roadside, and as I drive to and from my nearest town there are road works where men are laying cables. Yes fibre broadband is coming to HU12, and not before time.
As I have written before, living within a stone’s throw of the exchange, I can get 7.5Mbps download during the day, but after 4:00pm when the local children log onto Minecraft etc. I am lucky to get 2.0Mbps, and my Netflix and Amazon Prime subscriptions appear to be wasted investments.
However, I have spoken to the men in hi-viz jackets and within a month I should have the ‘superfast broadband’ that BT OpenReach have been hinting at or the last two years.
But I am in the lucky 95% of the country that will have fibre broadband in the near future, some of my not too distant neighbours, are still struggling to get 2Mps, with no planned rollout to them. For my farmer colleagues this is very frustrating and potentially financially crippling, as the Department for the English Department for the Environment, Food and Rural Affairs (DEFRA), has made all claims for ‘single farm payment’ (a subsidy from the EU Common agricultural policy) to be on-line only.
This again shows both a lack of joined-up thinking across government departments and decision makers taking comfort in statistics rather than detail
The 95% coverage is the percentage of the population across England that will have access to fibre broadband comes from the Department for Culture Media and Sport (DCMS) which is feeling very satisfied, and is now investing in even faster speeds for urban areas . But in contrast the in the nearby, predominantly rural, constituency of Thirsk and Malton in Yorkshire, only 82% of the population are scheduled to get fibre broadband, and the majority of the remaining 18% will be the farming community.

 Photograph: Christopher Thomond

Whilst , it is not practical, or cost effective to run fibre to every cottage and farmhouse in England, there are other approaches to providing broadband,  which it would be good for the DCMS (potentially in conjunction with DEFRA) to invest. Examples include my local ‘radio in the Paull church tower’ or the mesh network in Robin Hoods Bay.
Before we start to roll out 100Mbps to urban households, it would be good to have 100% of premises  on at least 2Mbps.