Blockchain in financial services

Five considerations for blockchain applied to data privacy and GDPR

Share this post:

People share with the world data about themselves that used to be considered private, all of this in exchange for “likes”, comments or coupons. Actually, even when I don’t want to, I need to share private and personal data digitally with my doctor or my insurance. As a result, I receive letters from some of these services providers telling me their systems and my private personal data have been compromised.

I may be more sensitive to privacy than some of my colleagues and I know my kids have a lot to learn about the risks and rewards of their digital lives. One thing is for sure, though, citizens across demographics and geographies aren’t confident about institutions securing and respecting their private data.

When looking at blockchain as a solution to privacy challenges, here are five things to consider which could help us all feel more at ease.

1. A technology and a regulation

Privacy in a digital world isn’t something that can be solved with technology only. It will take a systematic approach that combines culture, education, legal, business, process and technology frameworks. On the technology side, blockchain is making tremendous progress with networks that provide value in areas as varied as food trust, shipping containers, trade finance and international payments. Respecting the privacy of data and transactions is a core tenant for these projects. On the legal side, the European Union General Data Protection Regulation (GDPR), which takes effect at the end of May 2018, is arguably the biggest change in data privacy regulations in the last 20 years. These two movements are gaining momentum and it begs the question: Should you consider applying blockchain technology to support your GDPR efforts?

2. Opposite starting points but same underlying principles

Blockchain started in 2009 with the release of Bitcoin, a new type of digital currency, which is inflation-proof and independent of a central authority. Compare this with the creation of the GDPR laws by EU regulators, and the two initiatives seem at odds… until you look at the underlying principles. I believe blockchain and GDPR share common principles of data privacy. Both want for us to be in charge of our own digital private data — transactions and payments in the case of Bitcoin, or personal data that needs to be shared with others in the case of GDPR.

3. Promising first steps

We are seeing the realization of blockchain networks with privacy at the center, and the proof that these types of networks make business sense for the organizations investing in them. For example, in Singapore, banks and other organizations successfully completed a Shared Know Your Customer (KYC) network, which allows banks and institutions to share KYC information between them over the network. Using this approach, you as a customer can share your personal data once with your bank, then when acquiring products or services from another institution, you give consent to the network to provide the KYC evidence (not your actual personal data) to the other institution. Granted you still have to trust your bank to protect your information. But sharing your information once and then providing consent to share that evidence is much better that sharing your personal documents multiple times. It decreases the risks of your data being breached.

4. Privacy in public networks

Privacy doesn’t necessarily mean you need a private blockchain network approach, one that requires an invitation or is membership-based. For example, one of the goals for the Sovrin Foundation global identity network, is to provide identity capabilities for everyone on the internet — yes, we can identify your computer on the network today, but we still can’t identify you! We are talking about a global identity network, not a private network. But privacy is at the core with Sovrin principles of self-sovereign and decentralized identity. You are in charge of what identity attributes you share with whom and for which purpose, and your attributes aren’t all in one place. To me, these are privacy-enabling features like those of GDPR.

5. Right to erasure

One of the GDPR requirements is the right to erasure when an individual asks an organization that has their personal data to completely remove that data. The organization then has a limited time to comply. Well, if you know blockchain, you know that the blockchain ledger is append-only and immutable — there is no “undo” button after a write, and the chain of blocks contains historical transaction information that goes all the way back to when the blockchain was created. That can be a challenge for applying blockchain to GDPR. To comply with GDPR, no personal data should be put on the blockchain directly. Techniques exist to deal with this, which consist of putting a cryptographic hash on the chain or the “evidence” instead of the actual data. More guidance and expertise needs to be collected in this space. And, as my Promontory colleagues would say, “Be sure to check with your legal counsel!”

If you’re still reading hopefully I was able to give you a glimpse for the potential of blockchain technology applied to privacy and the EU GDPR. With colleagues Cindy Compert and Maurizio Luinetti, we co-authored a point of view on how blockchain can be applied to the five areas of GDPR — rights of EU data subjects, security of data processing, lawfulness and consent, accountability and compliance, and data compliance by design and by default. For each area, we provided example blockchain projects. There is more to be done in this space but is this a good starting point?

Let’s solve digital identity together

IBM Distinguished Engineer, Blockchain in Financial Services

More Blockchain in financial services stories

When are stable coins useful?

Global payments revenue grew by 11 percent from 2016 to 2017, according to the McKinsey Global Payments Report, and is projected to grow a further 9 percent per year until 2022. Counter-intuitively, this can be partly attributed to the declining cost of payments, McKinsey says. As cheaper electronic payments continue to replace cash and cheque, […]

Continue reading

The future is crowdfunded

You may have heard about equity crowdfunding as a way of financing a business. Most people have actually participated in crowdfunding before and don’t realize it. If you’ve ever made a donation or tithed, that is a form of crowdfunding known as donation-based crowdfunding. For those history buffs our there, they’ll inform you that the […]

Continue reading

How blockchain is driving innovation in financial services

The past three years have seen an astonishing number of blockchain pilots introduced to explore the emerging technology’s potential impact in the banking industry. Of course, even during the most manic days of blockchain hype, it was always clear that only the most thoughtful projects would eventually make their way into production and demonstrate real […]

Continue reading