Busting a CDR myth

| 5 min read
Share on twitter
Share on linkedin
Why we need to talk about migration
In today’s digital landscape, businesses find themselves needing to migrate their data to new systems for a myriad of reasons.

Originally published on IDM

Whether it is to save costs or to improve collaboration or to meet consumer data requirements, the process of migration must be thought out to ensure continuity of service and data security.

In February we found out ING’s planned swap-out of its CDR solution could place it in breach of its obligations, indeed the ACCC has since clarified it expects data holders to avoid disrupting or breaking consents. Cutover to the new system would invalidate potentially thousands of customers’ existing consents to share data and put the burden of reintegration costs on data recipients.

ING customers signed up to CDR were told their current data sharing arrangements would end on 21 February and that they won’t be able to view data sharing arrangements set up prior to the platform upgrade in ING online banking. To re-establish data sharing arrangements, customers will need to complete the data sharing consent process in each provider’s app. Something that could mean hard-won ADR customers are lost.i

The industry is up in arms. But the thing is, data holders need to consider migration options when they sign on to any project as it was only a matter of time before a data holder wanted out of its existing vendor-supplied or in-house developed solution and needed to migrate its consent data as a result. So, why is this conversation only happening now?

Importantly, solutions to this problem do in fact exist. When a data holder is signing on for a project, whether it’s a bank, energy company or (soon) telcos and non-bank lenders, they need to have the migration conversation upfront so they’re not trapped by a vendor or their own in-house solution, whilst still ensuring continuity of service.

There is an urgent need to dispel the sentiment that data holders are locked in with one vendor because organisations are told it’s too hard or even impossible to migrate. Propagating this idea will only hinder the progress of the CDR and stifle innovation.

So, what are the solutions? 

A CDR infrastructure migration can go one of two ways. A “lift and shift”, or a concurrent transition.

A lift and shift involves the migration of consent metadata and data recipient registrations from the old system format to the new system format. While this requires concurrent metadata understanding of both systems this method allows for a “big bang” migration strategy that is completely transparent to participants.

In this way participants are essentially unaware of changes to the underlying systems. Once the migration is completed the new system operators can proceed with rotating cryptography elements to become exclusively authoritative for the holder in question.

The concurrent transition method involves placing the new system in front of the old while performing a conditional pass through where required. By using this mechanism implementers can place the old system in sustainment, essentially “waiting out” the existing arrangements while establishing the new arrangements in the new system.

Over time the new system becomes the exclusive owner of all arrangements with a final historical arrangement migration activity conducted. This method facilitates a gradual transition and rollback checkpoint separate from the go live checkpoint.

What should data holders be looking for in a CDR solution?

It’s important to remember that the CDR is a highly complex ecosystem that requires multiple parties to work together for it to function. It won’t work if we’re only thinking about ourselves, and how to ‘lock out’ competitors.

When starting on your CDR journey, data holders should be looking for:

  • High-level contingency plans for the future so you’re not trapped with a solution that’s not fit for purpose or leaves you unable to innovate or take advantage of new CDR capabilities.
  • A vendor that positively contributes to the growth and success of the CDR. They should always have your back whilst still being willing to work with the wider ecosystem to overcome challenges.
  • A vendor that understands both sides of CDR — the Data Recipient and Data Holder domains — so they can provide informed and accurate guidance.
  • A solution that goes beyond primary functionality from Day 1. The ability to quickly analyse consents to support a migration or initiate customer contact are examples of this. Often these are viewed as secondary considerations and unlikely to fall within an MVP, these features can quickly become critical.


Stuart Low is Founder and CEO of Biza.io, developer of a Software-as-a-Service solution to meet the complex and rapidly changing Consumer Data Right specification.