The Blockchain GDPR Puzzle: An Expert Weighs In

By Cynthia S. Artin June 11, 2018

It’s no wonder when you bring two massive technology shifts together experts in each area rush to weigh in at the intersection.

Akshay Sharma, Principal Analyst for the boutique advisory firm neXt-Curve, shared strong views in a note published last month on the potential to invoke blockchain technologies to enhance GDPR, rather than serve as the “polar opposite” of General Data Protection Regulation (GDPR).

Often a contrarian, this former Gartner analyst, who studied and wrote on network infrastructure and software trends, Sharma called out in his note early proofs-of-concepts underway which use blockchain and tokens to improve the protection of private information.

Given the EU’s requirement went live last month, after years of planning, there’s growing interest in whether blockchain is a friend or foe of GDPR, since Blockchain keeps an immutable registry of transactions in a distributed ledger designed to ensure data integrity is maintained.

According to Gartner, Blockchain is a type of distributed ledger in which value-exchange transactions (in bitcoin or other token) are sequentially grouped into blocks. Each block is chained to the previous block and permanently recorded across a peer-to-peer network, using cryptographic trust and assurance mechanisms.

As Sharma writes, “In the realm of information security, blockchain-enabled information security applications offer alternative methods to establish trust and resiliency with little reliance on centralized arbiters, and track digital assets (data types, identifiers, credentials, encryption keys, transactions and device attributes).”

He explains that GDPR is demanding organizations take specific measures to protect data using both people, processes and tools:

  • Take a risk-based approach to data protection and security, by assessing, monitoring and plugging all vulnerabilities (network, application, organizational, etc.)
  • Establish technical measures to validate data is protected, with encryption techniques, and have systems in place to ensure the records are under policy-control, and customers have the right to be “forgotten”
  • Continuously monitor data protection measures, and report as needed
  • Correct any protection failures and notify the authorities when compromised.

According to Sharma’s note, auditing is key, and that “by leveraging Hybrid Public and Private Blockchain technology, with permission-based controls, blockchain technology can facilitate the managing and auditing processes of personally identifiable information (PII) by leveraging its underlying encryption capabilities, logging of all transactions, policy controls within it’s smart contracts, and resiliency within it’s highly replicated architecture.”

Sharma envisions enterprises using blockchain for smart contracts with policies for consent management, as well as policies identifying who can view, update and transact with this data.

“Blockchain can provide the audit and compliance tasks for organizations while providing individuals with a platform to see who has interacted with their information, and with policy controls can opt-out to be forgotten,” Sharma says, in contrast to other pundits who claim public blockchain is the antithesis of GDPR.

Sharma suggests enterprises conduct thorough risk assessments, with a deep understanding of their current network infrastructure and analysis of the vulnerabilities that could lead to GDPR non-compliance.  This includes working with Communications Service Providers (CSPs) and contact center vendors to ensure all transactions – on the web, on the phone, on social media – observe GDPR compliance requirements.

“Blockchain's immutability for the Right to be Forgotten vs the Right for Erasure is important to consider,” Sharma said in an interview. “Forgotten can be controlled and stored in the Blockchain, just not used, for example storing it in a private blockchain that no one has access to. Erasure is tricky as the Blockchain stores it but in an encrypted form.”

According to one EU lawyer, Right to Erasure is still achieved as long the Encryption keys are destroyed and the stored data is not recoverable.

Given the mass movement to mobile and a “mobile first” society, Sharma lists five components associated with “Mobile Security as a Service” that can address the full-lifecycle for GDPR as new service opportunities for mobile operators:

  • Identity Management as a Service
  • IoT Security as a Service
  • Security Analytics as a Service
  • Security Forensics as a Service
  • Remediation as a Service

“Developing and delivering this integrated portfolio of Contextually-Aware Security services will require mobile operators to think differently about their business and the implications,” the note says. “It will be important to design and implement a business model and business capabilities (BSS/OSS) that enable the mobile operator to monetize the value of their GDPR-compliant mobile security platform through an XaaS (Everything as a Service) model.”

Sharma went on to say that, as in any newer technology, not every application should be based on Blockchain.

Where blockchain makes sense:

  1. Distributed Trust, enabling a distributed database to be directly shared across boundaries of trust, without requiring a central administrator
  2. Robustness with Disaster Recovery from Replication
  3. Audits with all transactions logged

Where blockchain does not make sense:

  1. For strictly the hype
  2. Where high performance is needed
  3. Where it's for internal centralized usage

“We need more work on Blockchain for ID 2020, and the new real-time 5G world of 5ms- or less latencies,” Sharma explained. “For IoT and industrial IoT, the community needs a purpose-built blockchain platform, with newer protocols, within a hybrid architecture allowing for dual public/private blockchain solutions, permission-based Smart Contracts, with permission-less if needed, and a Masternode Verification architecture allowing for fast verification.”

The neXt-Curve report is free and can be downloaded here.

Edited by Ken Briodagh

Contributing Writer

Related Articles

BehrTech and Orange Oranges Partner on IoT Enterprise Resource Planning

By: Ken Briodagh    11/20/2019

According to a recent release, BehrTech and Orange Oranges have signed a strategic partnership agreement to provide secure IoT connectivity for Enterp…

Read More

GlobalPlatform Releases New Approach to IoT Cybersecurity

By: Chrissie Cluney    11/19/2019

According to a recent announcement, GlobalPlatform, a service and device security company, has released its IoTopia framework for IoT security.

Read More

IoT Time Podcast S.4 Ep.35 Ivenix

By: Ken Briodagh    11/7/2019

In this episode of IoT Time Podcast, Ken Briodagh sits down with George Grey, CTO Ivenix, to talk about Medical IoT Devices, Security and Healthcare i…

Read More

Using IoT and RFID for Better Inventory Management

By: Special Guest    11/6/2019

Inventory management is a hidden challenge throughout the retail industry, and can be much harder than it looks.

Read More

NetFoundry and Technilium Join on Cloud Connectivity

By: Chrissie Cluney    11/6/2019

NetFoundry, an application-specific networking company, has created a partnership with Technilium to deliver secure end-to-end communication networks …

Read More