As regulators ramp up enforcement measures, and the compliance-related risks faced by directors and boards increase, there’s a frontier developing in the shadow of trust – proof.
Earlier this year, British Airways was fined AU$329 million for failing to adequately protect consumer data. Those closer to the incident have said the fine was not as high as it could have been, thanks to BA’s diligence in managing the initial risk and related treatment. The maximum penalty under new GDPR laws could have extended the fine to a maximum 4% of annual turnover, of which BA stood at only 1.5%.
This suggests that, going forward, companies will increasingly rely on their ability to prove (with independent verification) that an assessment took place, rather than just their say–so or an 11th-hour consulting report.
Proof engenders trust, as does transparency. This is a good thing. Practically, though, how does 6clicks establish or create proof?
In short, we have partnered with Chainpoint – an open standard for creating a timestamp proof of any data, file or process.
We use Chainpoint to take a hash of the meta-data associated with an assessment, which then returns a timestamp proof. A Chainpoint node receives hashes, which are aggregated together using a Merkle tree. The root of this tree is published in a bitcoin transaction.
The final Chainpoint proof defines a set of operations that cryptographically link your assessment data to the bitcoin blockchain. For the tech boffins out there, the diagram below illustrates the way it works.
And in a practical sense, within 6clicks, every time there’s a change in state for an assessment (for example, when an assessment is approved, published, opened or submitted), we generate a timestamp proof. This proof can then be verified by anyone with the proof to validate whether the assessment status took place at a point of time (note that we do not write any sensitive data to the blockchain, only metadata).
Within 6clicks, you can then create a report, which is useful to share with regulators, your board, or whenever there’s the need for proof. We call this 6clicks Compliance Proof, and it’s just another step in establishing trust with the stakeholders of your business.
At 6clicks, we’ve baked the concept of proof into our risk assessment lifecycle – from approval through to submission. Right now, the focus is on assessment, but our plan extends to compliance-based training as well.
For those who are interested in finding out more, check out my recent presentation at the ISACA Melbourne Chapter, hosted by PwC on 13 August, where I explained the work we are doing with Chainpoint and where we are heading with 6clicks Compliance Proof. The presentation slides are here and you can check out the recorded presentation below or via this link.