Blockchain in a post GDPR World

Blockchain’s explosive growth has had businesses all over the globe scrambling to invest. But with GDPR fast approaching, how will an unchangeable database cope with the right to be forgotten?

How do you inflate your share price by 400% in a day? The answer is simple: add the word blockchain to your company’s name. As absurd as these figures seem, this is actually what happened last October to venture capitalist firm On-line Plc, following their decision to alter their name to On-line Blockchain Plc.

Olivia Green - Article

This shocking report is an accurate reflection of the current level of hype surrounding this new technology, with companies left, right and centre moving to adopt blockchain. A reported 57% of large UK corporations now have immediate plans to implement blockchain into their infrastructure by the end of 2018, while demand for blockchain specialists has nearly tripled in the last year alone. But while organisations have been avidly investing in this new phenomenon, they have also (rather more reluctantly) been preparing for an equally important, but slightly less exciting, development in the tech world: GDPR.

Much of the hype surrounding blockchain has been garnered because it is an immutable method of storing information- meaning that once information is loaded onto the blockchain, it cannot be edited or deleted. However, come May 2018, this unique feature may bring more pain than joy to businesses, as one of the most significant clauses in GDPR comes into effect: the right to be forgotten. This stipulates that individuals have the right to insist that organisations erase any personal information they hold on them. Apply this clause to blockchain, and the result is a non-compliant system and a £17 million fine. So what options do businesses have?

Edit the uneditable

One answer is to change blockchain itself. Accenture, for example, have recently patented an “editable” version of blockchain, which can be altered under certain circumstances by pre-ordained parties- a modification that could be easily moulded into being GDPR compliant and, at first sight, an appealingly easy solution.

However, there are some problems with this approach. As critics have pointed out, one of blockchain’s key (and unique) values is its immutability. It is this feature, making it immune to certain kinds of malicious interference such as misappropriation of assets or fraudulent financial reporting, that gives it so much appeal. By allowing even the possibility of interference, its trustworthiness as an absolute source of information is diminished. For organisations such as banks and other financial institutions, who are anxious to utilise the power of blockchain to build trust and protect against this kind of interference, an “editable blockchain” is unlikely to be a satisfactory solution.

Legal loopholes

For those who are either unwilling or unable to adopt an editable model, legal solutions may be sufficient. GDPR itself offers no explanation as to what “erasure” actually constitutes, and, while this might seem obvious at first sight, it could be an opportunity.  In the past, for example, some authorities have ruled that encryption can legally be equal to deletion- that is, if data is irreversibly encrypted, it is considered to be erased.  It is possible to apply mechanisms like this to data stored on blockchain, via encrypting pieces of data and then “losing” the decryption key- effectively meaning that the information can never be read.

However, this is a risky solution for organisations. As the data is not actually deleted in this process, but simply rendered inaccessible, it may be vulnerable to future technological developments able to break into its encryption (quantum computing, for example). With this in mind, it is likely that European authorities will insist on a strictly all-or-nothing interpretation of data deletion- meaning that relying on mechanisms such as encryption to achieve compliance would be dangerous.

Going off-grid

If neither of these options suffices, businesses can take a more extreme route: remove personal data from the blockchain completely. This does not necessarily mean disposing of blockchain too- one possible workaround, described in more depth here, reduces blockchain to a simple “access control medium”; instead of storing personal information on the chain, links to external databases containing said information can be placed in blocks. As the rules of blockchain no longer apply in these external databases, any information stored like this could be freely deleted or changed at will. The benefits of this approach are clear- it allows for full, uncontested erasure of data, while still retaining some of the functionality of blockchain.

However, as with other options, this is still not a wholly satisfying solution. It creates an inefficient, complex process, and reduces transparency over who is accessing personal data and how- paradoxically creating even more hurdles to GDPR compliance, which also requires that organisations must have accessible and transparent processes for data management. Additionally, removing data from the immutable environment of blockchain gives rise to the same problems faced by Accenture’s “editable blockchain”; external databases can be altered or subjected to fraudulent interference, and so the trustworthiness of the system is undermined.

An uncertain future

So where does this leave organisations who use blockchain? The answer, at this stage, is frustratingly unclear. Every solution detailed above involves either sacrificing the functionality (and benefits) of blockchain or risking the security of personal data. The latter is hardly an attractive option, and if organisations must transform the blockchain beyond recognition to become compliant with GDPR, it begs the question- what is the point in using the blockchain at all? Yet it is hardly practical for authorities to demand that organisations simply stop using blockchain, given its soaring popularity, proven benefits and widespread adoption.

In ethical terms, Blockchain’s immutability is a paradox: on the one hand, it helps to prevent corruption, fraud and theft; on the other, it removes the individual’s rights over his or her personal information. This paradox makes it a complicated system to legislate effectively for, and the current tensions are symptomatic of lawmakers’ struggles to keep up with new developments in the fast-paced and ever-changing world of technology. In this case, it may not just be businesses that need to adapt; legislators too may need to take an iterative and flexible approach to GDPR.

Come May 2018, reconciling GDPR and blockchain will likely be just one challenge among many for both corporations and legislators. Yet as blockchain becomes ever more tightly wound into the infrastructure of major organisations around the globe, it is not a challenge that either can afford to ignore.

Data, consumers and trust: the quiet crisis

Building trust-based relationships with clients has always been important for successful business practice.  As the global data pool grows and consumer fears over personal privacy increase, it may become make-or-break.  Digilab’s Olivia Green investigates.

In the last two years, we have created 90% of the total data in the world today. In a day, we spit out an average of 2.5 quintillion bytes – and counting. From smart watches that monitor our heartrates to chat-bot therapists who manage our anxiety, nearly every aspect of our lives can be digitized. This undoubtedly provides us with immense benefits – increased speed, convenience and personalisation to name a few. Yet it also gives rise to a challenge: how do we protect our right to privacy?

Anxieties over internet privacy are nothing new. As the data pool continues to expand however, they have been picking up steam. Hacks and other tech-related scare stories are now a daily occurrence on our newsfeeds – and they are increasingly hitting closer to home. Back in May, the credit card details and passwords of nearly 700,000 UK citizens were compromised when Equifax fell victim to a hack. Even our private conversations don’t feel safe, as it emerged last month that Google’s new Home Mini had been accidentally recording its users without their knowledge.

Corporations themselves are also a target of consumer fear, and they are beginning to pay the price. According to recent research, US organisations alone lost $756 billion last year to lack of trust and poor personalisation, as consumers sought out alternatives. UK consumers share similar anxieties; nearly 80% of cite lack of confidence in the way that companies to handle their information as an extreme source of concern, while just under half now view data sharing as a “necessary evil”- something they will do reluctantly if they deem the reward high enough.

These findings aren’t an anomaly. Statistics gathered last year by the ICO show that only 22% of UK consumers trust internet brands with their personal data; more shockingly, they highlight that while over 50% of consumers trust High Street banks, only 36% have confidence in Governmental bodies to manage their data properly.

The price of complacency

So far, companies have largely managed to side-step the more serious consequences for consumer mistrust and data mismanagement. Not all have been lucky though. The notorious Ashley Madison hack in 2015 is a prime example of just how damaging loss of trust can be. The website, which provided an online platform enabling married people to conduct affairs, fell victim to hackers who published a digital “name and shame” list of its clients. For a business whose model was so dependent on trust and confidentiality, this proved disastrous. Despite the organisation’s insistent claims otherwise, analysis by SimilarWeb revealed that monthly site traffic had plunged since the attack, dropping by nearly 140 million a mere four months after the attack.

For some, the fallout is less dramatic – but still worrying. Take Uber’s recent breach for example, which dragged its already battered corporate reputation through the mud once again after it was revealed that the ride-sharing company had tried to cover up a 2016 data hack affecting 57 million customers. The immediate furore that followed this has raised some immediate problems for the firm, including the threat of prosecution and impending investigations by multiple countries worldwide. Even more problematic for Uber are the wider-ranging consequences of this cover up. In combination with their potential loss of the London market and recent workplace scandals, this disastrous year has materialised into real financial impact; at the close of this quarter, Uber logged record losses of $1.5 billion, a $400 million increase on previous quarter and a far cry from their triumphant predictions of growth at the beginning of 2017. In a particularly telling sign, Uber’s investors also appear to be hedging their bets. Fidelity, who already have a significant stake in Uber, announced last week that they had participated in a funding round for Uber’s closest competitor, Lyft, pushing the latter’s valuation up to $11.5 billion.

Unlike Ashley Madison, Uber’s problems arose not so much from the hack itself, but from their attempt to cover it up. But despite the evident lesson here, this is a scenario we could see again. Over 2/3 of UK boards currently have no training to deal with a cyber-incident and estimates suggest that only 20% of companies have appropriate response plans in place. For Uber, the ultimate consequences of its misconduct remain to be seen; for the moment, they are protected by their largely unique offering, which gives consumers limited alternatives. Should it happen to a business without Uber’s dominance, it could prove fatal.

Monetising trust

How can organisations move forward from here? In the current climate, it is unlikely that consumers will ever wholly withhold their data, as they place value on the services that giving away that data provide- as much has been shown by the fact that risky “data trade-offs” like Uber manage to survive.  However, as awareness of the risks and the stakes of losing data to a hacker increase, they are looking increasingly selective about who they choose to share their information with. As more and more information shifts from physical to digital, businesses must be prepared for change. We may be heading towards a future where access to data is no longer a handout but a privilege, hard won by effective risk management and transparent, secure systems that hand back sovereignty to the customer.

Yet it is this data that may ultimately decide who wins and who loses in our future digital economy. Consumer data is the life blood of capabilities like AI and predictive analytics, and is essential for providing the personalised services such as smart home devices that are becoming increasingly popular. Businesses that are cut off from this valuable information source will inevitably find themselves undercut by better-placed competitors.

To protect themselves against this eventuality, businesses in crowded markets should make effective data strategies an utmost priority. Companies like Uber may be shielded for the time being; nevertheless, even they can’t afford to breathe easy. As the surging interest in Lyft is demonstrating, rivals are never far behind.

Look out for my next blog about how GDPR can help your business build a future-proof data strategy.

What do you think? Leave a response below or contact me by email.