Blockchain, The Game-changer of Data Governance

Data Governance is our priority when designing a data management solution. The significant contradictions between blockchain technology and The European Union’s General Data Protection Regulation (GDPR) arouse vigorous discussions in the industry. In contrast, European Parliament highlights that it can be a suitable tool to achieve some GDPR objectives.

Make sure to read blockchain technology’s features and strategic business values, as we now explore how blockchain technology changes the game in data governance as more governments experiment with new operations.

Contradictions between blockchain technology and GDPR

The study “Blockchain and the General Data Protection Regulation”, written by European Parliament, highlights several paradoxes in the fundament of blockchain technology and GDPR:

• Data Controller
  GDPR assumption: Data is centralised on at least one or legal person.
  Blockchain technology concept: Data is decentralised to multiple nodes.
• Data Modification
  GDPR assumption: Data can be modified or erased where necessary to comply with Articles 16 (Right to rectification) and 17 (Right to erasure).
  Blockchain technology concept: Data is immutable and stored in the append-only database to ensure data integrity and increase network trust.
• Data Process
  GDPR requirement: Personal data to be kept to a minimum and only processes data purposefully specified in advance.
  Blockchain technology concept: Databases grow continuously as new data is added.

The study also underlines different forms of distributed databases. Hence the compatibility between distributed ledgers and the GDPR is determined by a case-by-case analysis that accounts for the specific technical design and governance set-up of the blockchain use case.

The above analysis leads to two overarching conclusions:

• Blockchain use cases’ technical specificities and governance design can be hard to reconcile with the GDPR. Therefore, blockchain architects must be aware of this from the beginning and ensure their design complies with GDPR.
• It also stresses the current lack of legal certainty on how blockchain can be designed to comply with the regulation – Not just due to specific features of this technology but also highlights significant conceptual uncertainties related to GDPR.

How can blockchain technology achieve GDPR objectives?

There was an ongoing policy debate in European Parliament on this topic. Their report in 2018, Blockchain: A Forward-Looking Trade Policy, pointed out that ‘blockchain technology can provide solutions for the ‘data protection by design provisions in the GDPR implementation based on their common principles of ensuring secured and self-governed data.’ Recital 7 GDPR foresees that ‘natural persons should have control of their own personal data.’ This rationale is based on the data subject rights, such as the right of access (Article 15 GDPR) or the right to data portability (Article 20 GDPR) that provide data subjects with control over what others do with their data, and what they can do with that personal data by themselves.

At the 52^nd Hawaii International Conference on System Science in 2019, a group of experts proposed a multi-layer blockchain system which can provide users with complete data transparency and control over their data. European Parliament commented that this solution would help comply with the right to access (Article 15 GDPR) and grant a fundamental right to individuals to access their personal information. This looks like a significant move in blockchain because European Parliament recognises the new standards. We believe more corporates are willing to explore the feasibility of applying blockchain in their business, and experimental cases will be boosted out in the market.

Blockchain applications in European Union

Estonian eHealth Patient Portal
Estonia is one of the first governments to embrace blockchain technology. Estonian eHealth Patient Portal, a blockchain-based infrastructure, has been used by their eGovernment to give individuals more control over their health data. A patient can authorise access to their data. By default, medical specialists can access data. However, a patient can deny access to any case-related data to any care provider, including their own general practitioner/family physician.

MyHealthMyData
MyHealthMyData is a project funded under the EU Horizon 2020 scheme that uses blockchain technology to create a structure where data subjects can allow, refuse and withdraw access to their data according to different cases of potential use. Further research can build on this project to determine whether blockchain technology can achieve GDPR objectives and create a benchmark for the industry.

Blockchain Roadmap of the UK Government

The UK Government is endeavouring to develop blockchain use cases and governance.  A report by the UK Government Chief Scientific Adviser in 2016 acknowledged that Distributed Ledger Technologies could help governments collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services. In the NHS, technology can enhance health care by improving and authenticating the delivery of services and by sharing records securely according to exact rules.

Yet, effective governance and regulation are critical to successfully implementing distributed ledgers. Law will need to evolve in parallel with the development of new technology applications.

HM Revenue and Customs started a trial on social welfare payment distribution in June 2016 to track the distribution of benefits. They are still working with a UK start-up to integrate blockchain technology into supply chains to increase efficiency and security.

Department for Work and Pensions studied the first full production implementation, such as Santander’s One Pay FX, a blockchain-based international payments service to retail customers in multiple countries. The benefits include reducing transaction time, cost and failure rate whilst data is stored on a secure, immutable ledger.

Conclusion

Though there are significant tensions between the nature of blockchain technology and the legal frameworks surrounding data privacy, blockchain technology can be an alternative form of data management system for you to achieve particular data governance objectives, depending on the system architecture. With more governments recognising the benefits brought by blockchain, we believe blockchain technology can be compatible with data privacy law.

Despite the legal framework of GDPR being built on the fundament of a centralised database system, corporates should be more familiar with the regulations; they can face catastrophic data breaches and hefty fines in light of weak security layers. Data breaches of British Airways in 2018 and Marriott in 2020 were considered case studies.

British Airways was fined £20m for a data breach which affected more than 400,000 customers. A subsequent investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at the time.

Marriott International was fined £18.4m for a data breach that exposed 339 million customer records in 2018, caused by poor data management policies and unencrypted sensitive data. An investigation by the Information Commissioner’s Office found the hotel giant “failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.”

In other words, a robust security system is essential to data protection, not the technology itself.

Other than data privacy law, Financial Stability Board intends to implement its first recommendations on global crypto regulation in early 2023. This powerful regulation may provide more clarity for the crypto businesses on how to set up the blockchain system. Let’s follow the latest news on the regulation.

Our upcoming discussion focuses on how blockchain can improve cybersecurity and impact different business cases.

How CACI can help

Our experts can advise you on the best practice for managing your data under your regulatory requirements. We help large enterprise organisations define and execute data standards, policies and strategies.

Get in touch with us today.

Notes:
[1] Blockchain and the General Data Protection Regulation (europa.eu)
[2] Article 16 & 17: Right to rectification (gdpr.org)
[3] REPORT on Blockchain: a forward-looking trade policy | A8-0407/2018 | European Parliament (europa.eu)
[4] BPDIMS:A Blockchain-based Personal Data and Identity Management System (researchgate.net)
[5] Estonian Health Records to Be Secured by Blockchain – Bitcoin News
[6] Personal control of privacy and data: Estonian experience | SpringerLink
[7] My Health My Data
[8] Distributed Ledger Technology: beyond block chain (publishing.service.gov.uk)
[9] GovCoin Systems Implements Social Welfare Payments Distribution Trial for UK’s Department for Work and Pensions | Business Wire
[10] Transforming for a digital future: 2022 to 2025 roadmap for digital and data – GOV.UK (www.gov.uk)
[11] Santander One Pay FX, a blockchain-based international money transfer service – (enterprisetimes.co.uk)
[12] The changing world of payments – DWP Digital (blog.gov.uk)
[13] British Airways fined £20m over data breach – BBC News
[14] Lessons learned: the Marriott breach – Infosec Resources (infosecinstitute.com)
[15] Marriott Fined £18.4m Over Data Breach – Infosecurity Magazine (infosecurity-magazine.com)
[16] FSB ready for rapid rollout of global crypto standards (ft.com)