The Role Of Blockchain In Helping Organisations Meet GDPR Compliance

Uploaded on 2018-02-01 in TECHNOLOGY-Key Areas-Blockchain, NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Developments, TECHNOLOGY--Resilience

While blockchain and the General Data Protection Regulation (GDPR) are currently two of the data management industry’s hottest buzzwords, they have more than just buzz in common as the industry continues to ponder their respective impact.

They share the same level of excitement as well as the same level of scepticism.

Interestingly, they may be linked in another way, the fact that blockchain could play an important role in helping organisations comply with GDPR rules.

PWC defines blockchain as a digital, decentralised ledger that keeps a record of all transactions that take place across a peer-to-peer network so that participants can transfer assets across the Internet without the need for a centralised third party.

According to Gartner’s Emerging Technologies Hype Cycle, blockchain is at the “peak of inflated expectations,” meaning that it is a hot topic among audiences, and there are numerous ideas and theories about how it can be used.

While there are many use cases, the reality is very few are up and running. And, although it’s predicted to become an important technology, nobody really knows if it will go mainstream, what it will mean, which technology will become the de-facto standard, and when it all will happen.

The GDPR, on the other hand, is a good bit more tangible with a deadline for compliance of May 25, 2018. By this date, all organisations worldwide doing business with EU customers must assess their information strategy, technology, processes and staff against GDPR rules regarding personal data and implement changes to remain compliant.

The GDPR has an enormous impact to companies around the globe, as it requires any business that stores and manages personal data of EU citizens to handle this information in a transparent and structured manner.

Regardless of whether this personal data involves a prospect, customer and/or employee, under the GDPR individuals will be given new data rights, which include the “Right to be Forgotten” and the “Right to Data Portability.”

Originally adopted by the European Parliament in April 2016, organisations have been given ample warning, yet it remains unclear if many organisations will be able to comply with the pending deadline.

How Blockchain Can Impact GDPR: A Look at How It Could Help Financial Services

Notwithstanding the relative uncertainty of both initiatives, many have begun to consider whether blockchain technology could be used to improve customer data management processes, as it relates to the upcoming GDPR rules. But how?

That is the basis of a master’s thesis we recently published. This thesis investigates how the banking industry can comply with GDPR by leveraging public blockchain technology for identity management. It also seeks to understand if blockchain technology can facilitate the managing and auditing processes of personally identifiable information (PII) in a way that will support companies complying with this new regulatory framework.

Privacy and data protection have become a critical concern, which is what prompted the GDPR to be introduced in the first place.

The idea we proffered in the thesis is to make a consent management system on blockchain, as this can help manage the process of what each individual is willing to share. In the financial sector, for example, knowing each party’s identity before a transaction can be executed has been around for a while.
 
Know Your Customer (KYC) is applicable for every bank worldwide and is all about identifying your customer and verifying their PII. The process is repetitive, which means mistakes can occur causing duplicate versions of PII.

Designing a consent management system based on blockchain could provide a simple, accessible and immutable audit trail that eases the audit and compliance tasks for organisations while providing individuals with an easy and trusted way to get an overview of with whom they have shared their personal information.

Sounds like blockchain fits perfectly with the GDPR’s main objective of protecting personal data, right? Not exactly.

Since public blockchains are immutable, once information is stored in blockchains it cannot be changed or deleted. And while otherwise appropriate for other use cases, this is where blockchain technology appears to clash with the requirements of the General Data Protection Regulation.

With the GDPR, individuals will have the right to be forgotten, meaning that organisations will have to delete ALL personal data of an individual upon request.

But since it’s nearly impossible to delete things off the public blockchain, GDPR and blockchain may not be compatible, or are they?

It all comes down to two issues:

1.    Who is managing the blockchain and who manages the consent?
2.    Is data put “beyond use” considered “forgotten” under GDPR?

Managing Consent

In some cases, managing PII information may be handled by the individual themselves as there may be an opportunity for them to sell this information to companies at a premium.

However, blockchain can be used to manage consents, another vital aspect of the new regulation that in some cases requires organisations to collect consent specific to its purpose.

This means that each individual in a database has different consents linked to him or her, as opposed to today where organisations use “omnibus”-consent or “one-consent-for-all.”

Putting Data Beyond Use

Authors of a recent study by Deloitte entitled Blockchain & Cyber Security: Let’s Discuss contend that implementing the right to be forgotten in a technology that guarantees nothing will be erased actually has multiple solutions. The authors write:

“One solution is to encrypt the personal information written in the system, to ensure that, when the time comes, forgetting the keys will ensure that sensitive information is no longer accessible. Another possibility is to focus on the value of blockchain to provide unalterable evidence of facts by writing the hash of transactions to it, while the transactions themselves are stored outside of the system. This maintains the integrity of transactions, while enabling the ability to erase the transactions, leaving only vestigial traces of forgotten information in the blockchain.”

Furthermore, the United Kingdom’s Information Commissioner’s Office (ICO) has provided guidance that states putting data beyond use satisfies the standards for data privacy in the UK’s Data Privacy Act so long as the data controller holding it:

  • Is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
  • Does not give any other organisation access to the personal data;
  • Surrounds the personal data with appropriate technical and organisational security; and
  • Commits to permanent deletion of the information if, or when, this becomes possible.

Blockchain Can Help, But There is Still Work to Do for Full GDPR Compliance

So, as you can see, while there are still some unanswered questions regarding the capabilities of blockchain technology to support the GDPR efforts, the technology seems to have significant potential.

Still, there are at least three areas that need to be addressed: available technology, the regulation itself, and the people that will be managing and/or affected by it. Each must work together in real-life, as adopting and using such a solution will require a different approach.

As discussed earlier, it is important how the data is being managed by the organization and whether the blockchain is public or private.

As the regulative efforts seek to provide individuals with increased control of their personal information, a critical topic to reassess from a regulatory perspective is the requirement for banks to obtain and store PII data locally. Without this requirement, PII could be accessed remotely by the bank instead, which will ensure a single source of truth where individuals have full control of their attributes and who has access to which information.

Additionally, the option for trusted parties to provide their verification would allow individuals to continuously build the trust and validity of their digital identity over time, without relying only on one single organization.

More technical research into the topic of data storage and blockchain will be needed to answer whether the right to be forgotten can be satisfied in such an autonomous system. One thing that is certain is that the use cases for such a solution would stretch across all industries and solve many challenges encountered by financial institutions, as well as many other organizations.

The bottom line? While there is some question whether public blockchain can legally be used for storing personal data at this point, there is the potential that it may someday fully align with the GDPR requirement and “the right to be forgotten.”

Blockchain can be well-suited to manage the consents under the GDPR, but it must address GDPR’s need to have information removed from it.

Information- Management

You Might Also Read: 

The GDPR Advisory Board Offers Expert Advice:

Applying Blockchain to Cybersecurity:

What Happened To The Blockchain Revolution?:

 

« Iran Adopts Russian Style CyberWar Tactics
AI Will Create More Jobs Than It Eliminates »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

4Secure

4Secure

For over two decades, 4Secure has specialised in cyber security consultancy, safeguarding the worlds critical Infrastructure through securely bridging air gapped networks.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

NICE Systems

NICE Systems

NICE Systems provide software solutions to ensure compliance, fight financial crime, and safeguard people and assets.

PhishLabs

PhishLabs

PhishLabs provides 24/7 services that help organizations protect against the cyberattacks targeting their employees, their customers and their brands.

SecuPi

SecuPi

SecuPi delivers data-centric security with data-flow discovery, real-time monitoring, behavior analytics, and protection across web and enterprise applications and big data environments.

Bowbridge

Bowbridge

Bowbridge provides anti-virus and application security solutions for SAP systems.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

Griffeshield

Griffeshield

Griffeshield is a company specialised in new information technologies used to protect Intellectual Property.

OISTE Foundation

OISTE Foundation

OISTE foundation allows users to control their digital identities using well-understood and secure algorithms that ensure the continued validity of an identity and its claims.

Astrix Security

Astrix Security

Astrix enables security teams to instantly see through the fog of connects and detect redundant, misconfigured and malicious third-party exposure to their critical systems.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Brunswick Group

Brunswick Group

Brunswick is a critical issues firm. We advise the world’s leading companies on how to navigate the critical issues they face and engage with their critical stakeholders.

Third Wave Innovations

Third Wave Innovations

Third Wave Innovations (formerly RCS Secure) offers a full spectrum of cybersecurity safeguards and IT services.

IT.ie

IT.ie

IT.ie are a comprehensive provider of Managed IT Services, Cloud Solutions, Cyber Security, and proactive IT support services.