How DLT can be used to achieve GDPR compliance
Distributed Ledger Technology and the General Data Protection Regulation can be like in-laws. The former, complex, the latter for many, downright scary. But together they can become the perfect parents, the foundation for next-generation data management and financial services. The need to demonstrate secure data storage and consented data sharing has never been more pressing.
-
Andrew Hewitt
- April 5, 2018
- 5 minutes
Distributed Ledger Technology and the General Data Protection Regulation can be like in-laws. The former, complex, the latter for many, downright scary. But together they can become the perfect parents, the foundation for next-generation data management and financial services.
The need to demonstrate secure data storage and consented data sharing has never been more pressing. Under GDPR, organisations need to keep records of all personal data usage, be able to prove that consent was given, show where the data's going, what it's being used for, and how it's being protected. Failing to comply with GDPR could be devastating: fines of up to 20 million euro, or 4% of global turnover – whichever is higher. Add in reputational damage, and it’s clear that non-compliance with GDPR is not an option.
Distributed ledger by contrast, remains a work in progress. It is not mandatory and nor have the full implications of DLT been articulated, at least not yet. DLT’s ability to process rapid payments is still to be seen, but its security potential is considerable. The technology provides a theoretically tamper-proof single version of the truth visible to all participants within a given network. When disparate third-parties can independently verify information along a transaction chain, the core data is harder to corrupt; and we can already see the benefits of this in logistics and contracts technology. So could DLT assist with GDPR compliance?
Arguably, yes. DLT’s capacity to transparently record and transfer data could be crucial for a range of services, from banking to asset management. And in the GDPR environment, where provable data consent is king, permissions technology will be imperative. One such example is FIS Consent Manager which enables a dynamic and transparent data relationship with individual customers, and gives data protection officers requisite monitoring tools.
And we can go further with permissions technology. Under GDPR companies that collect personal data must obtain the individual’s provable consent based on a valid purpose for what the data will be used for. One of the many challenges of GDPR is being able to prove for any piece of personal data held, which legal basis for processing it is being used. It may be that multiple legal basis exist for any given data item, so controlling how that data can be used by different systems for different purposes must be managed.
The obvious solution appears to be a single system of records which knows for any data item or group of data items what the legal basis for processing this data is. Both systems and people can query this system and find out what they are allowed to do and on what basis. The challenge then becomes what solution is best positioned to handle these requirements. Step forward, distributed ledger technology.
A distributed ledger could hold information about who can do what, with what data, of an individual data subject. The distributed ledger shouldn’t hold that personal data, rather indicators of that data and the permissions on it. By using the technology in this way, we could end up with an immutable record of what permissions exist at any point in time but essential elements of personal data. This would serve as an excellent proof point during an audit, or if an individual challenges the legal basis for processing their personal data. The challenge then becomes ensuring systems are using the data permissions stored in the Distributed Ledger. Whilst such a system cannot be created overnight, it is surely a pathway to a coherent data rights management strategy fit for GDPR.
Despite the high stakes, GDPR need not be legislation to fear. Rather it can provide the framework to fuel innovation by forcing organizations, particularly legacy systems to confront data silos and empower them to use it with the right consent in place. This will lead to new business models for a range of applications, and we’re already seeing this. For example, HSBC Securities Services is trialing DLT on proxy voting services with a number of end investors, including major sovereign wealth funds and pension funds. Using DLT in proxy voting can help accentuate transparency and deliver efficiencies to the end investor. And last year Citi implemented a “blockchain-inspired” distributed ledger technology in its back-office to manage collateral in its ledger and send cash or securities.
When the best technology is used to create a trusted framework with which financial institutions can demonstrate data consent, we can enter a new era of exciting financial applications and services. Like many in-laws, GDPR and DLT have been labeled as disruptive, but often out of disruption comes opportunity. FIS believes in innovative solutions for a dynamic and changing financial services landscape but as Facebook will agree, end-user data and provable consent of use is crucial for the stability of the whole technology family.
Bobsguide is a