New Technologies will Help Firms Meet GDPR Requirements

In Europe, GDPR came into force in 2018, but the big fines have only started being applied in 2019.  Last month saw the Information Commissioner’s Office (ICO) handing out the largest fine so far to British Airways and its parent International Airlines Group of £183m for leaking the personal data of 380,000 of its customers. This was then swiftly followed by another statement of an intention to fine Marriott over £99m for exposing personal data from 339 million guest records globally.

It showed that data breaches are now not just a public relations liability but also have a financial impact and this looks set to increase. Meanwhile, the exponential growth of the Internet of Things (IoT) made possible by advances in 5G and Edge computing will demand more comprehensive data management and 100% reliability.

By 2020, 30 billion devices will be online, generating 600 zettabytes per year, says IBM. By 2035, more than 75 billion IoT devices will be connected.

How is all this data going to be managed by enterprises in a secure way? Privacy by design is one of the stipulations of GDPR. One of the technologies that appear best placed to address managing data and privacy concerns is blockchain.  Its distributed decentralised characteristics secure and authenticate transactions and data through consensus and cryptography.  Information is also stored across multiple devices.  As such, there is no single point of failure and consequently, it becomes hard to hack the system.

However, it isn’t just about the protection of the data.  One of the key GDPR statements is the “right to erasure” or more commonly referred to as the “right to be forgotten” clause. Yet, removing data entirely from any system is not as straightforward as it seems. Every single piece of information relating to a person (or persons) – on every file, register, database, mailing list, and any back-up server – must be removed forever, and must not be recoverable.  Conventional blockchains would struggle to fulfil this due to their append-only structure and their inherent immutable and transparent properties.

Currently, the main blockchain technology providers are all based on single-chain architectures such as IBM’s Hyperledger Fabric and Ethereum.  These monolithic structures have two main implications on data protections: i) all information is disseminated to all the nodes on the network, including those who do not need it; and ii) values can be changed but cannot be deleted altogether. Recent releases of conventional blockchain platforms have included the ability to store “off-chain” as a way of segregating private data and allowing information to be purged as required.  So, while this approach offers the proof that private data existed at some point, the data itself does not benefit from the secure and immutable characteristics of blockchain.  These retrospective workarounds are considered to be partial solutions to fundamental architectural limitations.

Multi-chain platforms offer a complete solution.  Private data can remain on-chain by creating a blockchain that contains only the relevant parties e.g. a customer and a business.  Data can be selectively shared between this chain and other chains.  To “forget” or “delete” the data, the entire private chain can be deleted without consequence to other chains, thus providing a complete end-to-end blockchain solution to the deletion challenge.

The commercial adoption of blockchain technology solutions has been slower than expected due to a number of obstacles, such as demonstration of business value and definition of a suitable governance model.  As these initial hurdles have been overcome and as the technology develops and matures, the regulatory hurdles also need to be addressed.  Solutions that tackle regulatory issues at the architectural level will be best positioned to drive value for businesses as well as to stave off public-relations liabilities.


Written by Dominic McCann, CEO at Interbit

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.