Rethinking blockchain for GDPR
Strangely enough, one of the main reasons why many experts suggest blockchain can’t be used to support GDPR compliance is closely connected to a fundamental strength of the technology: data immutability. Once information is recorded on a blockchain network, it should be practically impossible to change or delete.
Immutability is a powerful weapon for tackling compliance challenges. However, it directly conflicts with the GDPR principle of the ‘right to be forgotten’. This gives you or me the right to ask any organisation that holds our personal information to destroy it. The problem is this: if blockchain data is immutable, it’s there for as long as the blockchain network exists.
Are we thinking about blockchain in the wrong way?
Perhaps, though, people are looking at blockchain’s role in supporting GDPR – and many other regulations – in the wrong way. What if the key is actually not to put the personal information (or whatever data is governed by the regulation you’re complying with) onto the blockchain system at all?
To understand why an organisation would want to do this, you need to remember that with GDPR and other regulations that revolve around protecting and managing data, one key requirement is being able to prove, without any doubt, what has happened to the data throughout its lifetime. How has it been updated, added to or manipulated, for example? Has it been moved or passed on to another system or organisation?
Creating a tamper-evident digital audit trail
To answer those questions you need a tamper-evident digital ‘paper trail’ of all the events that surround the data. Crucially, that trail must be recorded with the same degree of integrity as the data itself. And that is where blockchain really comes into its own. Because it’s the ideal place to hold this trail in a way that is immutable.
So, in the case of GDPR, any personal information about individual customers would go into whatever secure repository the organisation has chosen to store it: an enterprise content management system or CRM system, for instance. Importantly, this system must incorporate high levels of security to maintain privacy as required by GDPR rules. Meanwhile, the event log or digital audit trail gets written to a blockchain – to provide concrete evidence of everything that happened to the customer’s personal information.
Why blockchain data is immutable
It’s worth reminding ourselves just why data placed in a blockchain system is immutable. This is something that goes back to the underlying design of the technology.
Firstly, blockchain information is protected by cryptographic hashes in individual blocks, with each hash containing a link to the one created before it. If anyone wants to change or tamper with information in any single block in the chain, they would have to crack the encryption protecting the chain, and recalculate the hash not just for that specific block, but all existing blocks that came after it. Otherwise alarm bells would start ringing.
Next, because copies of data in a blockchain are distributed across multiple participating nodes on a peer-to-peer network, any unauthorised changes to the data held in one node would not be accepted. Those changes would not match with what is recorded everywhere else. So a hacker – even if they were smart enough to bypass the security of one participant – would not have the power to record any changes.
Similarly, the consensus mechanism operated on blockchain systems requires the majority of participants (nodes) to validate any new data before it can be added to the chain. So if a hacker wanted to make a falsified new entry for their own gains, they would need to be able to take control of the required majority of participants in order to get away with it – which is much harder than hacking into a traditional database.
Perfect for GDPR compliance and more
These capabilities make blockchain the perfect technology to underpin compliance initiatives relating to a wide range of regulations, whether they govern personal information as with GDPR, or other data such as financial transactions or medical or other records.
Blockchain networks not always needed
Importantly, you can enjoy some of the same security advantages without actually placing the audit trail data onto a blockchain. It’s possible to use the same cryptographic hashing techniques used within blockchains to create connected blocks of data – but to store this data in a local IT system rather than out on the blockchain itself. Any ‘bad actors’ who attempted to tamper with the data would still be faced with having to decrypt the required block, modify the hash and recalculate every subsequent hash in the chain. To mitigate this risk, you could choose to store the “root hashes” for the local data on a blockchain system (or an alternative third party notary service), allowing the entire contents of the local event store to be validated.
Breaking the ‘right to be forgotten’ paradox
Even if we assume that no personal information is going to be stored on a blockchain, we’re still left with one problem, one that has been puzzling compliance specialists: how do you prove that a customer’s data has been deleted, without leaving some record that can be tied back to the customer in some way?
Let’s say you have raised a right to be forgotten request (RTBF) with your bank. Here’s one possible scenario of how blockchain could provide evidence of compliance with your request, without leaving any traces of your personal data behind.
First, the bank creates a case ID about RTBF request on its internal case management (or other IT) system – and also uses it to log (on a blockchain) an audit trail of all the steps it takes to purge your data from its systems. When that’s all done, the bank notifies you that the case is closed and all remaining records of the case (including the case ID) are destroyed. Only you – the customer – would then have any record of the case ID.
At a later date you (or an auditor or regulator) could in theory use the case ID to query the blockchain system and view an audit trail of the RTBF.
Using the power of immutability to best effect
Blockchain’s power of data immutability gives it a strong advantage when it comes to supporting data compliance initiatives. Not only does it provide the keys to creating the essential tamper-evident event history surrounding important data – a significant part of countless regulations – but for GDPR it could also pave the way to solving the puzzle of proving that RTBF requests have been complied with.
Neil Evans is CTO for EMEA at Macro 4, a software division of UNICOM Global which specialises in creating secure information systems for customers in heavily regulated industries such as banking and finance.