The Blockchain GDPR Puzzle: An Expert Weighs In
It's no wonder when you bring two massive technology shifts together experts in each area rush to weigh in at the intersection.
Akshay Sharma, Principal Analyst for the boutique advisory firm neXt-Curve, shared strong views in a note published last month on the potential to invoke blockchain technologies to enhance GDPR, rather than serve as the "polar opposite" of General Data Protection Regulation (GDPR).
Often a contrarian, this former Gartner analyst, who studied and wrote on network infrastructure and software trends, Sharma called out in his note early proofs-of-concepts underway which use blockchain and tokens to improve the protection of private information.
Given the EU's requirement went live last month, after years of planning, there's growing interest in whether blockchain is a friend or foe of GDPR, since Blockchain keeps an immutable registry of transactions in a distributed ledger designed to ensure data integrity is maintained.
According to Gartner, Blockchain is a type of distributed ledger in which value-exchange transactions (in bitcoin or other token) are sequentially grouped into blocks. Each block is chained to the previous block and permanently recorded across a peer-to-peer network, using cryptographic trust and assurance mechanisms.
As Sharma writes, "In the realm of information security, blockchain-enabled information security applications offer alternative methods to establish trust and resiliency with little reliance on centralized arbiters, and track digital assets (data types, identifiers, credentials, encryption keys, transactions and device attributes)."
He explains that GDPR is demanding organizations take specific measures to protect data using both people, processes and tools:
- Take a risk-based approach to data protection and security, by assessing, monitoring and plugging all vulnerabilities (network, application, organizational, etc.)
- Establish technical measures to validate data is protected, with encryption techniques, and have systems in place to ensure the records are under policy-control, and customers have the right to be "forgotten"
- Continuously monitor data protection measures, and report as needed
- Correct any protection failures and notify the authorities when compromised.
According to Sharma's note, auditing is key, and that "by leveraging Hybrid Public and Private Blockchain technology, with permission-based controls, blockchain technology can facilitate the managing and auditing processes of personally identifiable information (PII) by leveraging its underlying encryption capabilities, logging of all transactions, policy controls within it's smart contracts, and resiliency within it's highly replicated architecture."
Sharma envisions enterprises using blockchain for smart contracts with policies for consent management, as well as policies identifying who can view, update and transact with this data.
"Blockchain can provide the audit and compliance tasks for organizations while providing individuals with a platform to see who has interacted with their information, and with policy controls can opt-out to be forgotten," Sharma says, in contrast to other pundits who claim public blockchain is the antithesis of GDPR.
Sharma suggests enterprises conduct thorough risk assessments, with a deep understanding of their current network infrastructure and analysis of the vulnerabilities that could lead to GDPR non-compliance. This includes working with Communications Service Providers (CSPs) and contact center vendors to ensure all transactions - on the web, on the phone, on social media - observe GDPR compliance requirements.
"Blockchain's immutability for the Right to be Forgotten vs the Right for Erasure is important to consider," Sharma said in an interview. "Forgotten can be controlled and stored in the Blockchain, just not used, for example storing it in a private blockchain that no one has access to. Erasure is tricky as the Blockchain stores it but in an encrypted form."
According to one EU lawyer, Right to Erasure is still achieved as long the Encryption keys are destroyed and the stored data is not recoverable.
Given the mass movement to mobile and a "mobile first" society, Sharma lists five components associated with "Mobile Security as a Service" that can address the full-lifecycle for GDPR as new service opportunities for mobile operators:
- Identity Management as a Service
- IoT Security as a Service
- Security Analytics as a Service
- Security Forensics as a Service
- Remediation as a Service
"Developing and delivering this integrated portfolio of Contextually-Aware Security services will require mobile operators to think differently about their business and the implications," the note says. "It will be important to design and implement a business model and business capabilities (BSS/OSS) that enable the mobile operator to monetize the value of their GDPR-compliant mobile security platform through an XaaS (Everything as a Service) model."
Sharma went on to say that, as in any newer technology, not every application should be based on Blockchain.
Where blockchain makes sense:
- Distributed Trust, enabling a distributed database to be directly shared across boundaries of trust, without requiring a central administrator
- Robustness with Disaster Recovery from Replication
- Audits with all transactions logged
Where blockchain does not make sense:
- For strictly the hype
- Where high performance is needed
- Where it's for internal centralized usage
"We need more work on Blockchain for ID 2020, and the new real-time 5G world of 5ms- or less latencies," Sharma explained. "For IoT and industrial IoT, the community needs a purpose-built blockchain platform, with newer protocols, within a hybrid architecture allowing for dual public/private blockchain solutions, permission-based Smart Contracts, with permission-less if needed, and a Masternode Verification architecture allowing for fast verification."
The neXt-Curve report is free and can be downloaded here.