People usually ask me questions like; how can I use Blockchain for x thing? And one of those things is the General Data Protection Regulation (GDPR). If you are reading this now then it’s probably too late as GDPR comes into effect May 2018. Anyway, GDPR is not a technology issue but more of a process. It can be implemented using more standardized and mature technology such as RDBMS, Messaging Platform, Business Rules amongst other. What would you achieve by building your solution on the Blockchain? Well, in all frankness, not much. Would you store user data in the Blockhain? You could if you wanted to but how would handle the following GDPR articles (summary):
- Section 3: Rectification and Erasure
- Article 16: Right to Rectification
- Article 17: Right to Erasure (‘Right to Forgotten’)
People refers to the Blockchain technology as a decentralized (unless it’s a private deployment) immutable ledger which records all activities.
The Blockchain provides a way to build trust with multiple unknown parties. Most organizations know who they are dealing with on a daily basis: customer, partners and suppliers. Do they really need to provisioned data access for third-parties? No, they do not. So what would the Blockchain be used for? Blockchain is immutable, therefore updates are treated as new transactions and the old inaccurate data would still be available. This is direct violation to Article 16 and 17.
Another approach would be to deploy you Blockchain project in a mix environment where you application would be built in a multi-tiered architecture. In this approach, the user data would be stored in data store which accepts modification and also implements access controls. Due to the fact that the data store is mutable, it cannot be used to log activities which occurred against the data. This where the Blockchain ledger shines. Activities would be logged into the block as it happens; anonymised data of the person, the action taken and by who and timestamp. In this way, if the person requests article 16-17, then you do not have to worry about the data stored in the block. The data stored in the data store can be actioned accordingly. As an organisation who is looking to be GDPR compliant, there is no point in investing in a public Blockchain, a private deployment would suffice. The business process would have well defined rules for different outcomes. Changing the perspective now, as an architect, is the Bockchain really needed for such a simple task of creating immutable logs store? It would be simpler to create something, if not already available, which fit the requirements.
The above diagram illustrates, at high level, what a GDPR implementation on an immutable store would look.:
- The organisation would allow user to register online via various clients such as web or native clients.
- Organistation would store the user data into centralised data store such a NoSQL or RDBMS
- The organisation would implement an access and permission control to prevent unauthorized access and operation
- All operation will be logged into the immutable ledger
- JSON format of anonymized people data
- Type of operation
- Change delta
- Detail of user who carried out the operation
- Application metadata
- Third-party organisations requesting data access can be granted from API layer
- The organisation access control is check and validated
- A permission control will be in placed to make sure that only permissioned information is accessible
- All activities will be logged as above
The aforementioned architecture can be applied to most private deployment of Blockchain project is not only restricted to GDPR. The process removes the need for smart contracts, but that’s a topic for another article.
Thank you for reading and please share the article with your network and feel free to leave a comment.