Blockchain and the General Data Protection Regulation (GDPR) are currently two of the hottest buzzwords. But they have more than just the buzz in common: Nobody yet knows what the impact of either will be.
According to Gartner’s Emerging Technologies Hype Cycle, blockchain is at the “peak of inflated expectations”, meaning that lots of people are talking about blockchain, and there are numerous ideas and theories about what it can be used for. But there are in fact very few real use cases, and although it’s predicted to become a huge technology, nobody really knows how it will go mainstream, what it will mean, and when it will happen.
The GDPR, on the other hand, is a bit more tangible, as there’s a date: May 25, 2018. This is when the regulation will come into force. By then, companies storing and managing personal data of EU citizens will be obliged to handle their personal data, such as prospect, customer and employee data, in a transparent and structured manner, as individuals will be given new data rights, such as the “Right to be Forgotten” and the “Right to Data Portability.” However, it remains unclear if companies will be able to comply by the deadline, how they’ll do it best, what will happen if they don’t (except from the massive fines, of course), and what the long-term impact of the new data legislation will be for businesses and consumers.
The obvious question now is: Can blockchain technology be used to improve customer data management processes, specifically in relation to the upcoming General Data Protection Regulation. And how? That’s the objective of a Master Thesis recently conducted by Jakob Nielsen and Omar Hamidi, both Cand. Merc. IT from Aarhus University, Denmark. Through the Stibo Accelerator programme, they have investigated how the banking industry can leverage public blockchain technology for identity management in their GDPR compliance efforts. Here, we explore some of the main results of the thesis.
First, what is blockchain technology exactly?
Omar Hamidi explains:
Blockchain is basically a shared database that stores a continually reconciled registry of transactions in a decentralised P2P network. The transactions are all time stamped and cryptographically linked through a ‘hash’ - a unique digital fingerprint. Each block has unique hashes that refer back to previous blocks. That way you have full transparency of your data and all the transactions made.”
It can be a bit tricky to understand, if you don’t speak ‘tech’. That’s why Jakob Nielsen likes to use following analogy to explain it: “Imagine a book with an infinite number of pages. Each page number is generated as a product of the content on each page. If someone changes the content on a page – adds a number for instance – a new page will be generated with that change, so that all versions and changes are stored and documented.”
So, blockchain can advantageously be used where there are transactions between several parties, such as in most businesses. Since every transaction needs to be validated before added to the chain as a block, the quality of the information stored in blockchains is high. And since every node (computer) on the Blockchain has a copy of all the historical transactions and are time stamped, the need for central databases can eventually be reduced, and security increased as there will not be a single point of failure for hackers to exploit.
Sounds like blockchain fits perfectly with the GDPR’s main objective of protecting personal data, right?
Not entirely, since public blockchains are immutable, meaning that once information is stored in blockchains it cannot be changed or deleted. And this is where blockchain technology so far clashes with the requirements of the General Data Protection Regulation.
With the GDPR, individuals will have the right to be forgotten – meaning that organizations will have to delete ALL personal data of an individual upon request. But since it’s nearly impossible to delete things off the public blockchain, GDPR and blockchain are not compatible – so far.
However, as Jakob Nielsen and Omar Hamidi concludes in their Master Thesis, blockchain can be used to manage consents - another vital aspect of the new regulation that from May 2018 require organizations to collect consent specific to its purpose. This means that each individual in a database has different consents linked to him or her, as oppose to today where organizations use ‘omnibus’-consent, meaning ‘one-consent-for-all’.
In conclusion, public blockchain cannot legally be used for storing the personal data itself. Even though nobody will be able to find it and decrypt it, this does not align with the GDPR requirement and ‘the right to be forgotten’. But it can be used to manage the consents per the GDPR.