Contents
As regulators ramp up enforcement measures, and the compliance-related risks faced by directors and boards increase, there’s a frontier developing in the shadow of trust – proof.
Earlier this year, British Airways was fined AU$329 million for failing to adequately protect consumer data. Those closer to the incident have said the fine was not as high as it could have been, thanks to BA’s diligence in managing the initial risk and related treatment. The maximum penalty under new GDPR laws could have extended the fine to a maximum 4% of annual turnover, of which BA stood at only 1.5%.
This suggests that, going forward, companies will increasingly rely on their ability to prove (with independent verification) that an assessment took place, rather than just their say–so or an 11th-hour consulting report.
Proof engenders trust, as does transparency. This is a good thing. Practically, though, how does 6clicks establish or create proof?
Introducing Chainpoint
In short, we have partnered with Chainpoint – an open standard for creating a timestamp proof of any data, file or process.
We use Chainpoint to take a hash of the meta-data associated with an assessment, which then returns a timestamp proof. A Chainpoint node receives hashes, which are aggregated together using a Merkle tree. The root of this tree is published in a bitcoin transaction.
The final Chainpoint proof defines a set of operations that cryptographically link your assessment data to the bitcoin blockchain. For the tech boffins out there, the diagram below illustrates the way it works.
The simplicity and usefulness of a timestamp proof
And in a practical sense, within 6clicks, every time there’s a change in state for an assessment (for example, when an assessment is approved, published, opened or submitted), we generate a timestamp proof. This proof can then be verified by anyone with the proof to validate whether the assessment status took place at a point of time (note that we do not write any sensitive data to the blockchain, only metadata).
Within 6clicks, you can then create a report, which is useful to share with regulators, your board, or whenever there’s the need for proof. We call this 6clicks Compliance Proof, and it’s just another step in establishing trust with the stakeholders of your business.
Where to next for 6clicks Compliance Proof?
At 6clicks, we’ve baked the concept of proof into our risk assessment lifecycle – from approval through to submission. Right now, the focus is on assessment, but our plan extends to compliance-based training as well.
For those who are interested in finding out more, check out my recent presentation at the ISACA Melbourne Chapter, hosted by PwC on 13 August, where I explained the work we are doing with Chainpoint and where we are heading with 6clicks Compliance Proof. The presentation slides are here and you can check out the recorded presentation below or via this link.
Written by Louis Strauss
Louis began his career in Berlin where he also founded Dobbel Berlin – Berlin’s curated search engine. Returning to Melbourne to join KPMG, Louis lead the development of software designed to distribute IP and create a platform for us by advisors and clients. While at KPMG, Louis also co-authored Chasing Digital: A Playbook for the New Economy. Louis is accomplished in stakeholder management, requirements gathering, product testing, refinement and project implementation. Louis also holds a Bachelor of Engineering and a Masters of Information Systems from the University of Melbourne.
