By IBM Team
People share with the world data about themselves that used to be considered private, all of
this in exchange for “likes”, comments, or coupons. Actually, even when I don’t want to, I need
to share private and personal data digitally with my doctor or my insurance. As a result, I
receive letters from services providers telling me their systems and my private personal data
have been compromised. Being French, I may be more sensitive to privacy than my American
colleagues and I know my kids have a lot to learn about the risks and rewards of their digital
lives. One thing is for sure, though, citizens across demographics and geographies aren’t
confident about institutions securing and respecting their private data.
1- A technology and a regulation
Privacy in a digital world isn’t something that can be solved with technology only. It will take a
systematic approach that combines culture, education, legal, business, process, and technology
frameworks. On the technology side, blockchain is making tremendous progress with networks
that provide value in areas as varied as food trust, shipping containers, trade finance, or
international payments. Respecting the privacy of data and transactions is a core tenant for
these projects. On the legal side, the EU General Data Protection Regulation (GDPR), which
takes effect at the end of May, is arguably the biggest change in data privacy regulations in the
last 20 years. These two movements gaining momentum, it begs the questions, should you
consider applying blockchain technology to support your GDPR efforts?
2- Opposite starting points but same underlying principles
Blockchain started in 2009 with the release of bitcoin, a new type of digital currency, which is
inflation-proof and independent of a central authority. Compare this with the creation of the
GDPR laws by EU regulators and the two initiatives seem at odds… Until you look at the
underlying principles. I believe blockchain and GDPR share common principles of data privacy.
Both want for us to be in charge of our own digital private data (transactions and payments in
the case of bitcoin, or private data that needs to be shared with others in the case of GDPR).
3- Promising first steps
We are seeing the realization of blockchain networks with privacy at the center, and the proof
that these types of network make business sense for the organizations investing in them. For
example, in Singapore, banks and other organizations successfully completed a Shared Know
Your Customer (KYC) network, which allows banks and institutions to share KYC information
between them over the network. Using this approach, you as a customer share your private
information once with your bank for example, and then, when acquiring products or services
from another institution, you give consent to the network to provide the KYC evidence (not
your actual private data) to the other institution. Granted you still have to trust your bank to
protect your information. But sharing your information once and then providing consent to
share the evidence is much better that sharing your personal documents with many. It
decreases the risks of your data being breached.
4- Privacy in public networks
Privacy doesn’t necessarily means you need a private blockchain network approach (by
invitation only or membership-based). For example, one of the goals for the Sovrin Foundation
global identity network is to provide identity capabilities for everyone on the internet (yes, we
can identify your computer on the network today we still can’t identify you!). We are talking
about a global identity network, not a private network. Still privacy is at the core with Sovrin
principles of self-sovereign and decentralized identity. You are in charge of what identity
attributes you share with whom and for which purpose, and your attributes aren’t all in one
place. To me, these are privacy-enabling features like those of GDPR.
5- Right to erasure
One of the GDPR requirements is the right to erasure when an individual asks an organization
that has their private data to completely erase that data. The organization then has a limited
time to comply. Well, if you know blockchain, you know that the blockchain ledger is append-
only and immutable (there is no “un-do” button after a write, and the chain of blocks contains
historical transaction information that goes all the way back to when the blockchain was
created!). That can be a challenge for applying blockchain to GDPR! To comply with GDPR, no
private data should be put on the blockchain directly. Techniques exist to deal with this, which
consist of putting a cryptographic hash on the chain or the “evidence” instead of the actual
data. More guidance and expertise needs to be collected in this space. And, as my Promontory
colleagues would say: “Be sure to check with your legal counsel!”
If you’re still reading hopefully I was able to give you a glimpse for the potential of blockchain
technology applied to privacy and the EU General Data Protection Regulation (GDPR). With
colleagues Cindy Compert and Maurizio Luinetti, we co-authored a point of view on how
blockchain can be applied to the 5 areas of GDPR (rights of EU data subjects, security of data
processing, lawfulness and consent, accountability and compliance, and data compliance by
design and by default). For each area, we provided example blockchain projects. There is
more to be done in this space but is this a good starting point?
You have missed out some details, please try again.