Five considerations for blockchain applied to data privacy and GDPR

People share with the world data about themselves that used to be considered private, all of this in exchange for “likes”, comments or coupons. Actually, even when I don’t want to, I need to share private and personal data digitally with my doctor or my insurance. As a result, I receive letters from some of these services providers telling me their systems and my private personal data have been compromised.

I may be more sensitive to privacy than some of my colleagues and I know my kids have a lot to learn about the risks and rewards of their digital lives. One thing is for sure, though, citizens across demographics and geographies aren’t confident about institutions securing and respecting their private data.

When looking at blockchain as a solution to privacy challenges, here are five things to consider which could help us all feel more at ease.

1. A technology and a regulation

Privacy in a digital world isn’t something that can be solved with technology only. It will take a systematic approach that combines culture, education, legal, business, process and technology frameworks. On the technology side, blockchain is making tremendous progress with networks that provide value in areas as varied as food trustshipping containerstrade finance and international payments. Respecting the privacy of data and transactions is a core tenant for these projects. On the legal side, the European Union General Data Protection Regulation (GDPR), which takes effect at the end of May 2018, is arguably the biggest change in data privacy regulations in the last 20 years. These two movements are gaining momentum and it begs the question: Should you consider applying blockchain technology to support your GDPR efforts?

2. Opposite starting points but same underlying principles

Blockchain started in 2009 with the release of Bitcoin, a new type of digital currency, which is inflation-proof and independent of a central authority. Compare this with the creation of the GDPR laws by EU regulators, and the two initiatives seem at odds… until you look at the underlying principles. I believe blockchain and GDPR share common principles of data privacy. Both want for us to be in charge of our own digital private data — transactions and payments in the case of Bitcoin, or personal data that needs to be shared with others in the case of GDPR.

3. Promising first steps

We are seeing the realization of blockchain networks with privacy at the center, and the proof that these types of networks make business sense for the organizations investing in them. For example, in Singapore, banks and other organizations successfully completed a Shared Know Your Customer (KYC) network, which allows banks and institutions to share KYC information between them over the network. Using this approach, you as a customer can share your personal data once with your bank, then when acquiring products or services from another institution, you give consent to the network to provide the KYC evidence (not your actual personal data) to the other institution. Granted you still have to trust your bank to protect your information. But sharing your information once and then providing consent to share that evidence is much better that sharing your personal documents multiple times. It decreases the risks of your data being breached.

4. Privacy in public networks

Privacy doesn’t necessarily mean you need a private blockchain network approach, one that requires an invitation or is membership-based. For example, one of the goals for the Sovrin Foundation global identity network, is to provide identity capabilities for everyone on the internet — yes, we can identify your computer on the network today, but we still can’t identify you! We are talking about a global identity network, not a private network. But privacy is at the core with Sovrin principles of self-sovereign and decentralized identity. You are in charge of what identity attributes you share with whom and for which purpose, and your attributes aren’t all in one place. To me, these are privacy-enabling features like those of GDPR.

5. Right to erasure

One of the GDPR requirements is the right to erasure when an individual asks an organization that has their personal data to completely remove that data. The organization then has a limited time to comply. Well, if you know blockchain, you know that the blockchain ledger is append-only and immutable — there is no “undo” button after a write, and the chain of blocks contains historical transaction information that goes all the way back to when the blockchain was created. That can be a challenge for applying blockchain to GDPR. To comply with GDPR, no personal data should be put on the blockchain directly. Techniques exist to deal with this, which consist of putting a cryptographic hash on the chain or the “evidence” instead of the actual data. More guidance and expertise needs to be collected in this space. And, as my Promontory colleagues would say, “Be sure to check with your legal counsel!”

If you’re still reading hopefully I was able to give you a glimpse for the potential of blockchain technology applied to privacy and the EU GDPR. With colleagues Cindy Compert and Maurizio Luinetti, we co-authored a point of view on how blockchain can be applied to the five areas of GDPR — rights of EU data subjects, security of data processing, lawfulness and consent, accountability and compliance, and data compliance by design and by default. For each area, we provided example blockchain projects. There is more to be done in this space but is this a good starting point?