What does GDPR mean for blockchain technologies?
By now, almost everyone has heard about General Data Protection Regulation (GDPR), which came into effect in the EU on May 25, 2018. As a result of GDPR, not only were EU organizations affected, but so were many international companies who have dealings with EU data subjects. Violation of these rules could potentially result in a huge penalty of up to 20 million Euros or 4 percent of a company’s global sales, whichever is higher — a major fine for most enterprises. Organizations that conduct business globally have faced difficulty this year in dealing with an inventory of privacy data, formulation of data protection policy, security measures and so forth.
What does this have to do with blockchain?
One of the important features of blockchain is that the information recorded in a blockchain cannot be changed or deleted without the consent of all who are permissioned. It’s designed to be hard to tamper with because blocks are connected by hash values. In addition, “shared ledger technology,” which is an alias of blockchain, indicates that the data on the blockchain will be shared with participating organizations in the blockchain network.
GDPR, however, gives consumers the right to have personal information erased. When they request this, companies need to comply. If your organization saves personal information in a blockchain, you can’t meet this requirement and may become non-compliant with GDPR. Given the reality of GDPR requirements, it may be preferable to avoid using blockchain for personal information.
How can we address GDPR requirements in blockchain technologies?
A potential solution that organizations may want to adopt for addressing GDPR, therefore, is to avoid recording privacy-related data into the blockchain. Instead, personal information is saved in a separated database, and you can record the URL and the hash value of the personal information into the blockchain. By doing this, when a request for deletion from an individual occurs, you could satisfy the requirement by deleting the information in the external database. The URL and the hash value would be left on the blockchain, so you need to make sure this information is structured to contain no personal information or information that could identify a person so that it’s outside of GDPR requirements. It is always advisable for clients to consult with their authorities to ensure their approach meets regulatory requirements. With this approach, personal information is stored only in one external database and never shared to the entire business network. Of course, a critical step in this approach is to encrypt the personal information in the external database with pervasive encryption to ensure it is properly protected.
Hyperledger Fabric, which is being expanded by the Hyperledger project from Linux Foundation, implements functions to help satisfy these requirements. One of them is the function called Private Data Collection added in v1.2. With Private Data Collection, personal information can be saved only in an external database (called side DB) on a specific peer (node). On the blockchain, only the hash value of private data is recorded and shared by participating organizations.
The following security features are available when you implement IBM Blockchain Platform for IBM Cloud Private on IBM Z® or LinuxONE:
- Pervasive encryption automatically encrypts all data, not only on disk but also in memory using a hardware accelerated encryption module. It protects privacy data in the database and the blockchain.
- Encryption keys are stored in a “hardware security module” and cannot be removed from it. With solutions like Enterprise Key Management Facility, this helps prevent a leak or loss of secret keys and spoofing.
- Secure Service Container addresses logins to a container or operating system as an administrator. It helps eliminate the risk of an attack to your operating system.
In Hyperledger Fabric, privacy-friendly function expansions are scheduled. One of them is the Identity Mixer implemented in v1.3. This technology was developed at IBM Zurich Laboratories and provides an authentication method that enables privacy protection. For example, how do you prove you are over the age of 20 on the internet? In general, you probably submit a copy of your identification card, such as a driver’s license. However, if you present a copy of your ID card, you’ll also provide information other than your age that you don’t need to disclose. By using authentication technology provided by Identity Mixer, it’s possible to provide authentication information that verifies your age is over 20. For companies, it isn’t necessary to keep extra personal information, so the cost of information management can be reduced by using Identity Mixer. Moreover, the authentication information created by the Identity Mixer is structured so that it cannot be associated with the information of the source identification card. Therefore, even if you provide personal information (age, address, gender, nationality and so forth) through Identity Mixer on various internet sites, site owners cannot access the source of the information and can’t restore your identify information. This helps improve privacy protection on the internet.
IBM solutions for blockchain success
IBM provides the IBM Blockchain Platform, an enterprise-ready blockchain application development platform based on the Hyperledger Fabric. It can be used on IBM Cloud or on premises using IBM Cloud Private. IBM Blockchain Platform is designed for the deployment, management and governance of business networks. Also, it’s a safety focused and more robust platform thanks to the features delivered by IBM Z and LinuxONE, including the hardware security module, Secure Service Container and pervasive encryption.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.