This post is the fourth in a series of articles written in collaboration between a blockchain platform vendor, Fluree, and a systems integrator, Codete. Drawing from collective expertise from both a technology vendor and a software development company perspective, we’ll provide insight into overcoming common hurdles in implementing blockchain technology and best practices for operational success in DLT projects. On to our third challenge...
Challenge 3:
Regulatory Compliance with GDPR, HIPAA, and general PII protection
“With great power comes great responsibility”
We all want our businesses to be data-driven and make our decisions based on real customer needs and actions. We always tend to gather more and more information, both by increasing market penetration, or by identifying new data sources. As a result - we get a fuller overview of our user, but we also start to be obliged to follow more and more regulations related to data processing and storage.
Let’s take the most basic regulation, which is the General Data Protection Regulation (GDPR) which spans across the whole EU.
GDPR set out seven key principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Let’s take a peek at how they look in the context of blockchain technology.
Lawfulness, fairness, and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals.
This principle is technology-agnostic, with a slight lean towards being supported by the natural transparency of blockchain technology. The most important factor is having a genuine intention around the data.
Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
As to the basics of blockchain, the main decision we make is either to put the data there, or not.
Afterwards, all of the people in the chain have access to the whole chain - this is the built-in mechanism to ensure data authenticity and immutability (as you cannot change something without having 50%+1 nodes in the network). This is one of the selling factors of blockchain, but it tends to be problematic in the context of PII related regulations - we are not really able to control how the data is being used, as we are always adding “a purpose on top” - accessing the data to validate the whole chain.
This causes a need to find an alternative solution, which is already known (as people are trying to solve this issue). Usually, it revolves around storing all of the sensitive data in traditional storages, and then posting the hashed indicators on the chain. This method can cause different problems - we are losing the transparency we were trying to achieve by using blockchain, and there appears an additional layer of complexity to the application, as the complete information is spread across completely separated data storages. To mitigate this, we can use external tools providing blockchain-like databases as a service, to gain the benefits and avoid the pitfalls.
Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
This point is easy - as it is completely technology-agnostic. We need to be always thinking about what is the minimum amount of data needed to complete a task. An important part of this process is to understand the difference between the operational and analytical databases. In an operational one, you want to keep the bare minimum, while in the analytical - with access restricted to a larger extent - you have much more data, usually in a form of some sort of data lake. This gives us a possibility to analyse the data, and identify new business opportunities. If we will do so - we define what is the least amount of data needed to fulfill the process, and we add it to the operational database.
Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
This point is usually relatively easy to achieve with blockchain, as we have a set-in-stone history of each piece of information. This gives us a solid opportunity to always be aware if any information needs to be updated. Also, we can be sure we will not damage any data retroactively.
Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This point is another blockchain struggle. Basically, we are not able to remove anything from the chain - its immutability is a very strong selling point, and it is built in the technology. We have two major possibilities - either we will move the important information to a different storage, or we will use an external provider. First solution looks good only on paper - as a result, we start to have blockchain as a buzzword, while the heavy lifting is done on a traditional database. The second solution, using a provider like Fluree, can mitigate the problem, and allow us to focus on the benefits.
Integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This one is a mix. We are perfect on the integrity side - all of our data is immutable and safe. About confidentiality - of course, we are securing our applications from unauthorized access. However, after they are a part of a blockchain-based application, they have access to the data.
Accountability
Data controllers are responsible for complying with the principles and letter of the regulation. Data Controllers are also accountable for their processing and must demonstrate their compliance.
This area is completely technology-agnostic, so this principle does not affect our solution for data storage.
Conclusion
Usually, the disrupting technologies tend to be a double-edge sword in the context of legal regulations. Blockchain technology strongly enhances our capabilities in some areas, while limiting the possibilities in others. If we want to follow a typical lean startup approach, and deliver in short iterations, we need to find a better solution compared to adding extra layers of logic to the application.
To avoid this problem, altogether with an additional hard decision - which blockchain is the best for us - we should consider blockchain-as-a-service as the initial solution. After we are well established, we might consider building a custom solution, based on the blockchain of choice, which will be an educated decision. In the early phases, it is definitely more reasonable to evaluate ready-to-use solutions, and focus on the core USPs of our business, leaving the data retention to dedicated providers.
Fluree is a blockchain-backed data management platform. Founded in 2016 by Flip Filipowski and Brian Platz, Fluree is headquartered in Winston-Salem North Carolina. The Fluree platform organizes blockchain-secured data in a highly-scalable, highly-insightful graph database - allowing businesses to develop applications with foundational data-centric trust, interoperability, and security. Fluree has experience in working with partners, like Codete, in developing next-generation applications, interoperable data sources, and data-driven ecosystems for a variety of industries and enterprises.
Codete is an IT consulting and software development company. Since 2010, we’ve been supporting businesses worldwide in gaining competitive advantage by means of modern technology. Codete has over 10 years in the market and has completed over 100 projects for enterprise clients. The company now employs over 150 IT professionals delivering full-stack solutions for advanced data management and reporting. Codete leverages the right technologies to meet different client needs and has worked with a diverse group of technology providers, including Fluree, to provide optimal solutions.
