WHY THIS MATTERS IN BRIEF
None of us have any control whatsoever over our personal privacy and the information that companies store on us, but Europe’s new GDPR law is about to change all that and as companies struggle to meet the deadline a paradigm shift in the way we manage privacy.
In April 2016, and after Edward Snowden’s expose on how the US National Security Agency (NSA) was using the information that US companies stored on their consumers as its own personal snooping store, the European Union (EU) decided to take a major step forwards in helping European citizens ensure their personal data was protected, and the General Data Protection Regulation (GDPR) was born.
GDPR will come into force on May 25th 2018 and it replaces the 20 year old, almost pre-internet Data Protection Directive (DPD), that dictates how the personal data of EU citizens can be managed and processed.
Not only is GDPR designed to improve the data security and privacy of personal information that companies and organisations hold on the EU citizens, but it’s also designed, perhaps more importantly, to return the control and management of personal data and identities to the individual – something that as our online and offline personal privacy comes under increasing threat from the development of new technologies and technology capabilities, such as Persistent Surveillance Systems and new mind reading systems to name just two of hundreds, I’ve been advocating for some time now, even bringing it up at my recent Marketforce keynote on the Future of Customer Experience.
GDPR is a wide ranging mandate that affects how companies who hold any data that can be used to directly, and indirectly, identify EU citizens manage and safeguard that data, and as a result it will impact almost every company on Earth.
However, while becoming compliant with GDPR in itself is an onerous task, with companies given two years to get their houses in order, one of the biggest potential issues that companies might have with it concerns an individuals right to be forgotten.
In short, this clause gives EU citizens the right to write into companies and ask for all their personally identifiable information to be erased and removed from their systems, and it doesn’t just apply to the company’s production systems – the information has to be erased from everything everywhere, including the company’s backups and disaster recovery systems.
Now, ordinarily, while this is still an onerous task it could be one that’s actually made much worse by the emergence of new Distributed Ledger Technologies (DLT) like Blockchain that companies around the world, from your local bank to your local supermarket, are starting to implement, because unlike a traditional database or system where a company can “just erase” your data the whole point of Blockchain is that it enables companies to audit every instance of a consumer “data event” by recording them onto the chain, and once that information is written onto it it’s on there forever.
For example, deleting or editing a block containing a consumers personal information that is N blocks back from the end of the Blockchain requires an industrious miner to do more work than it took to add all N of those blocks to the Blockchain in the first place, and, furthermore, this work must be completed before a miner adds the next block. Even for blocks that are close to the end of the chain, this is extremely difficult, and for blocks that have been on the Blockchain for a significant length of time, it’s essentially impossible.
As a result we appear to have a conundrum. Blockchain is one of the hottest technologies in town right now, and it can be argued its impact is at least as great as that of Artificial Intelligence (AI), just without the doom mongering. Consequently, it is being feverishly examined, poked, prodded and developed, and increasingly adopted, by almost every large multi-national on the planet, from Citi Group and Walmart to Microsoft, the US Government and Toyota, and that’s a trend that will dramatically accelerate over the course of the next decade.
The result of all this, of course, is that if your company wants to store any information that can be used to personally identify an EU citizen on the Blockchain then, arguably, there’s no way you could be compliant with GDPR, and that, of course, means that you either don’t use Blockchain technology to audit and store personal information, and are therefore unable to realise its significant benefits, or you do and you just wait for the first EU fines to roll in, which, by the way are either $20 million or 4 percent of revenue, whichever is greater, when consumers complain you aren’t “forgetting” them.
So, do we have a stalemate looming on the horizon, one that dooms companies to use 1990’s style databases and systems forever? Well, officially, the jury still seems to be out but from what I’ve been able to garner there might be a few answers, and a way out of the complicated conundrum.
The first answer is that companies could embrace something like Accenture’s new “editable” Blockchain, which when boiled down, because it breaks Blockchains’ immutability and “trust system” simply means they’d be adopting a proprietary, distributed database by another name.
The second is allowing access to the data to be removed via a trigger in a Smart Contract, and that data privacy could then be controlled via Blockchain’s rigorous security features. However, in this example the data would still be on the Blockchain but it would be inaccessible, and, officially, even though it would probably be the most convenient solution it probably wouldn’t meet the GDPR’s expectation which explicitly states that data must be removed. That said though a “small” amendment to GDPR to “bring it up to the times” could resolve this situation, and potentially please all parties quite quickly.
The third solution, and perhaps the best solution for all concerned is, especially from the consumers point of view, what if the onus of personal data stewardship wasn’t on the controller and processor at all, but instead, given to the consumer? This is known as a “Sovereign ID system,” and there are several Blockchain platforms that enable this available today.
This approach though would be nothing less than a paradigm shift in the way we manage consumer privacy, and it’d be one where, finally, consumers, not companys, have the power to audit, control, including the ability to grant and rescind access to, and manage every aspect of their personal information, and this is where Blockchains capabilities suddenly become very interesting, and potentially a match made in Heaven. The fact that it also gives companies a potential easy way out of their conundrum probably doesn’t hurt either.
In order for an individual to manage their own information they and they alone need to have complete access to it, the data must be trusted by third parties as valid, so that it can be used as easily as any physical identifier, and they need a way to grant and rescind access.
With Blockchain, we have a distributed ledger technology, meant to provide information that no distinct entity controls or manages, and because Blockchain uses a decentralized network of peers, where the history and current validity of data is publicly auditable, it becomes a neutral, trusted and secure mechanism for self-managed user identity.
By placing a data storage layer and a key, smart contract or some other access mechanism on top of it, an individual can not only securely store their data, but can now grant and rescind access to processors as needed. Similarly, trusted issuers, like governments and licensing agencies, could be permitted to add identity information to an individual’s Blockchain record as permitted, or as requested, by the individual.
The idea that Blockchain could be used to manage identity isn’t new though, in 2015, Guy Zyskind authored a paper describing in detail how it could be used to secure personal data, and later in 2015, a paper from the “Rebooting the Web of Trust” workshop, “Decentralized Public Key Infrastructure,” outlined how Blockchain could be used to manage key value stores in order to facilitate secure, self-managed identities.
Nowadays we have companies like ShoCard and the Sovrin Foundation that let consumers add their physically issued identities to a Blockchain and grant access to third parties, and GDPR, that espouses greater individual control over personal data, dovetails that idea, of Blockchain for self-managed identity, very nicely.
One of the authors of the decentralized PKI paper, Christopher Allen, describes the concept of self-owned and managed identity as “Self-sovereign” identity, a term that he defines in a set of 10 principles that, conveniently, seem to align with the standards established by the GDPR.
This alignment is a further testament that the GDPR may signal not just an emphasis on individual data control, but a change in the mechanisms by which identities are stored and managed, so as a result it’s no wonder that together Blockchain and GDPR champions are all espousing the same thing, the need to fundamentally change the way we control and manage personal information.
From a principle and practical perspective, it also means that the status quo of banks, governments, individual websites and social networks keeping disparate identity stores would change, and that finally consumers would have sovereignty over own information.
As both the concept of self-sovereignty and regulation around user control and privacy grow, especially in Europe, it looks like the age of the consumer might be emerging and that the future of digital identity could look very different to the kludge that we experience today.