How DLT can be used to achieve GDPR compliance

Distributed Ledger Technology and the General Data Protection Regulation can be like in-laws. The former, complex, the latter for many, downright scary. But together they can become the perfect parents, the foundation for next-generation data management and financial services. The need to demonstrate secure data storage and consented data sharing has never been more pressing. …

by | April 5, 2018 | FIS

Distributed Ledger Technology and the General Data Protection Regulation can be like in-laws. The former, complex, the latter for many, downright scary. But together they can become the perfect parents, the foundation for next-generation data management and financial services.

The need to demonstrate secure data storage and consented data sharing has never been more pressing. Under GDPR, organisations need to keep records of all personal data usage, be able to prove that consent was given, show where the data's going, what it's being used for, and how it's being protected. Failing to comply with GDPR could be devastating: fines of up to 20 million euro, or 4% of global turnover – whichever is higher. Add in reputational damage, and it’s clear that non-compliance with GDPR is not an option.

Distributed ledger by contrast, remains a work in progress. It is not mandatory and nor have the full implications of DLT been articulated, at least not yet. DLT’s ability to process rapid payments is still to be seen, but its security potential is considerable. The technology provides a theoretically tamper-proof single version of the truth visible to all participants within a given network. When disparate third-parties can independently verify information along a transaction chain, the core data is harder to corrupt; and we can already see the benefits of this in logistics and contracts technology. So could DLT assist with GDPR compliance?

Arguably, yes. DLT’s capacity to transparently record and transfer data could be crucial for a range of services, from banking to asset management. And in the GDPR environment, where provable data consent is king, permissions technology will be imperative. One such example is FIS Consent Manager which enables a dynamic and transparent data relationship with individual customers, and gives data protection officers requisite monitoring tools.

And we can go further with permissions technology. Under GDPR companies that collect personal data must obtain the individual’s provable consent based on a valid purpose for what the data will be used for. One of the many challenges of GDPR is being able to prove for any piece of personal data held, which legal basis for processing it is being used. It may be that multiple legal basis exist for any given data item, so controlling how that data can be used by different systems for different purposes must be managed.

The obvious solution appears to be a single system of records which knows for any data item or group of data items what the legal basis for processing this data is. Both systems and people can query this system and find out what they are allowed to do and on what basis. The challenge then becomes what solution is best positioned to handle these requirements. Step forward, distributed ledger technology.

A distributed ledger could hold information about who can do what, with what data, of an individual data subject. The distributed ledger shouldn’t hold that personal data, rather indicators of that data and the permissions on it. By using the technology in this way, we could end up with an immutable record of what permissions exist at any point in time but essential elements of personal data. This would serve as an excellent proof point during an audit, or if an individual challenges the legal basis for processing their personal data. The challenge then becomes ensuring systems are using the data permissions stored in the Distributed Ledger. Whilst such a system cannot be created overnight, it is surely a pathway to a coherent data rights management strategy fit for GDPR.

Despite the high stakes, GDPR need not be legislation to fear. Rather it can provide the framework to fuel innovation by forcing organizations, particularly legacy systems to confront data silos and empower them to use it with the right consent in place. This will lead to new business models for a range of applications, and we’re already seeing this. For example, HSBC Securities Services is trialing DLT on proxy voting services with a number of end investors, including major sovereign wealth funds and pension funds. Using DLT in proxy voting can help accentuate transparency and deliver efficiencies to the end investor. And last year Citi implemented a “blockchain-inspired” distributed ledger technology in its back-office to manage collateral in its ledger and send cash or securities.

When the best technology is used to create a trusted framework with which financial institutions can demonstrate data consent, we can enter a new era of exciting financial applications and services. Like many in-laws, GDPR and DLT have been labeled as disruptive, but often out of disruption comes opportunity. FIS believes in innovative solutions for a dynamic and changing financial services landscape but as Facebook will agree, end-user data and provable consent of use is crucial for the stability of the whole technology family.

Categories:

Resources

Regulatory reporting: 7 Questions with Philip Flood, Gresham Technologies

Other | Behavior detection & predictive analytics Regulatory reporting: 7 Questions with Philip Flood, Gresham Technologies

Gresham Technologies

Regulatory reporting: 7 Questions with Philip Flood, Gresham Technologies

Philip Flood, Business Development Director, Regulatory and STP Services, recently joined the ‘7 questions with…’ podcast with Gert Raeves of… Continue Reading

View resource
Real-time payments tech put pressure on banks

Best Practice | Behavior detection & predictive analytics Real-time payments tech put pressure on banks

INTIX

Real-time payments tech put pressure on banks

The transformation to real-time has seen the market modernise, but there is a further need for banks to have the… Continue Reading

View resource
TransferGo Case Study - payments industry

Case Study | Behavior detection & predictive analytics TransferGo Case Study - payments industry

ReconArt, Inc.

TransferGo Case Study - payments industry

Bank statement and Account Payables reconciliation. Seamless integration with NetSuite. TransferGo outlined two major product requirements. First – full… Continue Reading

View resource

New GFT podcast on AI

In the latest episode of our new podcast series on AI entitled ‘Artificial Intelligence, Intelligently Applied’, our host Simon Thompson… Continue Reading

View resource