GDPR and Blockchain: Do they work together?
Our Chief Marketing Officer (CMO), Ken Marke, looks at how Blockchain1 can support General Data Protection Regulation (GDPR) is his blog below.
When the stakes are high
Earlier this year, organisations across the European Union (EU), spent a substantial amount of their Marketing budget and time ensuring GDPR compliance. Large businesses appointed Senior Executives to Data Protection roles, whilst spend on legal fees and consultation will have been significant. With penalties for non-compliance considerably steeper than those under the Data Protection Directive, the effort is understandable. Those that fail can face fines of up to 20 million Euros (or equivalent in sterling), or 4% of the total annual worldwide turnover in the preceding financial year - whichever is higher2. But has it all been necessary?
Can we still be friends?
As an individual who has worked in the Insurance industry for 39 years, I am attentive about data privacy. So I usually give more than a cursory glance at privacy policies when I get updates from social media apps or websites. Like most people, I want to know how my personal data is being used. It’s all about trust and the flood of updates in recent months resulting from GDPR should give some confidence that data abuse may be waning.
Then along comes the Facebook and the Cambridge Analytica scandal. Along with around 1 billion active Facebook users no doubt3, being alarmed at this would be an understatement. The harvesting of personal data of millions of people's profiles without their consent and using it for political purposes really takes the biscuit. The news wiped £25bn off Facebook’s share value4 and led to consumer advocates quite rightly calling for greater data protection and the right to privacy.
There is nothing new here. It has been going on for years and the regulators have been gradually addressing it. But a scandal of this scale calls for even greater vigilance over the use and protection of customer data. Insurers are amongst the biggest collectors and users of personal data. So together, the industry, must place the safeguarding of data uppermost not only to stay inside the law, but also to engender trust with customers.
Like my money in the bank, it is my data, my asset. It has value to me and if you want to use it then you need my explicit permission. That’s why we have direct debit mandates. They give explicit permission to take money from my account. I want to lock my data away in the same way and if you want to access it, then I’ll give you a temporary key to look at it. Put simply, I want to control it and if you want to profit from it, then I want my cut.
Blockchain vs GDPR – or is it?
At B3i, we are very supportive of GDPR regulation and its goal to strengthen data protection for consumers. This is primarily about giving back to people control of their personal data. So how does this conflict with Blockchain applications?
When it comes to Blockchain, the data on the chain is pretty much immutable. Practically speaking, it cannot be erased. That’s a challenge for “the right to be forgotten” principle. Because of this, some argue that Blockchain and GDPR are fundamentally incompatible. Yes and no.
Bear with me.
Individuals must have better control of their data like their money. GDPR has this at its heart and it goes a long way to doing this. Some elements though are hard to absorb into new technologies and applications simply because these innovations, like Blockchain, were not around when GDPR was being devised.
According to a report published by the EU Blockchain Observatory and Forum in June 2018, Claire Bury, Deputy Director General, DG Connect, commented that: “Blockchain technology can directly support GDPR. There are different technical techniques…that can be used to better secure personal data. Blockchain provides auditability and transparency, which can help in protecting data subjects and enforcing GDPR4.”
Blockchain conceptually can help to secure personal data, place the owner, the customer in control of it and allow others to use it for legitimate and permissioned reasons.
GDPR is ahead of its time in terms of the availability of technology to help to resolve the fundamental issue of data privacy. Credit goes to the regulators for tackling the issue and what needs to happen now is to take advantage of better ways of achieving its aims.
The incompatibility with certain elements of GDPR just need to be ironed out. If there isn’t a clever bod out there trying to work that one out, then perhaps there should be. But it is certainly not a reason to stop developing Blockchain applications that store personal data as some suggest.
On the other hand, the regulations could be revisited and updated to take account from new technologies. Rather than working the technology around the incompatibilities, working together on both sides could lead to far more robust solutions for individuals. And this is where B3i is engaging with regulators at all levels and in all geographies - to provide support and education to them to inform new laws and policies related to Blockchain technology.
At B3i, we are big believers in doing good for customers. At our core is the drive to help the industry make insurance more relevant, accessible and affordable for them. But we can’t do this on our own. We believe in teamwork. We exist to work with the whole market to make things better.
Teamwork is like a puzzle, where every member has a unique shape that becomes part of the big picture. Teamwork and collaboration leads to consensus and through this we can devise solutions for common benefit. In the puzzle, we end up with a complete picture. The implications of Blockchain on GDPR is a great opportunity to do this.
As an example of how we collaborate, we announced recently that we will jointly chair a new ACORD standards project group. The initiative is designed to review and propose common standards for the adoption of Blockchain capabilities by the Insurance industry. We are committed to continual dialogue and recurrent opportunities to connect with our peers, whilst openness is also crucial in building an atmosphere of trust.
The biggest task we face is not technical. the Banking and Insurance industry is still flanked with consumer distrust. So, in a sense, we must thank GDPR for catalysing some positive disruption within the financial services industry, by increasing transparency and accountability. Blockchain will support GDPR's goal to improve the free movement and portability of data. While immutability and verification of customer data, means reduced errors, especially where contracts are concerned and critically, mitigating fraud.
As always, if you would like to discuss further, please contact me:
Look out for our next blog from Susan Joseph, B3i North America Representative on the subject of Self Sovereign Identity and what is happening in this space to let individuals have more practical control over their identities and personal data.
Sources and notes:
- For the purposes of this blog, Blockchain and Distributed Ledger Technology are used to reference the same concept although they are slightly different. This blog is not intended to delve into the technical differences.