Could a radically different approach to GDPR compliance be enabled by blockchain?

As you’ll be aware, the EU’s General Data Protection Regulation (GDPR) is fast approaching and will come into effect in the UK on 25 May 2018. 

It will affect businesses large and small, across the public and private sector. However, even though everyone is aware of it, there is also an expectation that virtually every business will bring some level of illegality with it when the regulations take effect. 

Some of this will be down to willful ignorance but a lot will simply come as a result of businesses struggling to get to grips with exactly which clauses in a wide ranging set of regulations apply to them. There’s a lot to think about, especially for companies that may be behind the curve already.   

Which begs the question, would a radically different approach, powered by the transparent and distributed nature of the blockchain, be better? 

The situation now 

To understand whether a new approach is required, it’s worth looking at what exists right now. GDPR is all about how Personal Identifiable Information (PII) - a class of data that is wider than the previously understood personal data - is stored, controlled and processed by all manner of service providers. 

It covers the practices that need to be adhered to and the penalties that organisations face if they don’t comply. While the suggestion that only serial offenders will be hit with the hardest fines might reassure some, small businesses will be worried by the fact that these fines can be as high as €20million. 

Such fines are likely to be reserved for the major data breaches that have occurred at large enterprises and will be a big step up from the record £400,000 fine that TalkTalk received for its October 2015 breach. Of course, the issues with centralized and unsecure databases have not gone away since then, as the Equifax data breach earlier this year has shown.   

Under GDPR, organisations will need to notify the relevant authority of a breach in 72 hours with details about the number of records affected, the likely consequences of the breach, the measures taken to deal with it and what will be done to mitigate any future exposure needing to be shared. 

Implementing such a process on the fly would be impossible, which is why GDPR requires all public organisations, as well as those with large scale data control or processing roles, to appoint Data Protection Officers who will oversee how this works.  

Even if you don’t consider breaches though, companies are expected to be able to comply with consumers’ requests to be forgotten, which involve permanently deleting PII from all systems. 

The new regulations mean that businesses of all sizes are looking at additional costs. Small businesses will require data audits at the least and potentially have to pay for new hires or expensive consultancy work to take place. Larger businesses, which generally have legal and data teams monitoring these areas, will still have to beef up their efforts if they want to avoid the data breaches (and new fines that come with them) that other large, centralized databases have experienced. 

A radically different approach 

Certainly, as things stand, all businesses are looking at increased costs of one sort or another from the GDPR changes. However, if you look again at the regulations, there is an alternative. 

The key point to remember is that these rules apply to those organisations that control or process PII. Currently, that classification covers an enormous number of small, medium and large organisations.   

But if these businesses choose to remove themselves from it by no longer storing, controlling or processing PII, then this cost and time effort could be avoided. That sounds improbable considering how these organisations operate today but there are innovative technologies than can provide the solution.   

We have seen how the existing approach of personal data being stored in large centralized databases is not working. Individuals feel powerless to control their own digital identities as well as who they trust. At the same time, GDPR has come about because many organisations that were trusted to hold this sensitive information have failed to hold it securely. 

A new solution that allows individuals to control their personal data and share it with organisations they want to interact with, just for the moment of interaction, would eradicate many of the GDPR issues that organisations are struggling with.   

Personal data controlled by users 

A decentralized system of trust based on blockchain technology could involve consumers controlling their personal data, including a range of personas with different levels of detail for personal and professional interactions. These could be shared cryptographically and therefore securely with service providers at the point of purchase or value exchange.   

Attestation services, another element of this circular economy, would still be needed to provide the validation that service providers need to reassure them the user is who they say they are, whether that be through traditional documents like passports or online interaction data.   

Crucially though, a whole range of service providers would not need to store, control or process any data beyond the transaction period. In a flash, the need to hire new Data Protection Officers or pay for the services of GDPR consultants, as well as the ongoing threat of huge fines for data breaches would vanish. 

Not only that, because of the distributed and decentralised nature of the blockchain, the principle of ‘privacy by design’ - which is one of the requirements for all data control and processing systems under GDPR - is established from the start. 

So which specific elements of GDPR would this radical approach render unnecessary?   

As service providers were not storing, controlling or processing data, there would be no chance of a fine for data breaches. There would also be no need to hire Data Protection Officers or train other staff in the processes around the access to or the permanent removal of PII. On top of these areas, the new GDPR rules about how consent can be asked for and provided would not be relevant as PII would not be exchanged.   

Certainly this is a vision for personal data ownership that looks very different to what exists now. But with GDPR changes set to cost businesses a lot of time, effort and money over a long period, might a new system that takes away the burden of responsibility from organisations and returns personal data to the individual, be an alternative worth considering? 

Jed Grant, CEO at Peer Mountain 

Image Credit: Zapp2Photo / Shutterstock