GDPR, Blockchain, and Me

I missed posting last month because a lot was happening! Of course, for everyone who is involved with technology and data at a global level, we have all been touched in some way by GDPR. I know my inbox was flooded with emails on the changes to everyone’s privacy policies and probably yours was, too. It’s worth a read to learn more about it and why it’s such a big deal and how it’s affecting businesses all over the world.

For me personally, May was a big month because I changed jobs after almost a decade at The Planet/SoftLayer + IBM where I had been a design lead for Infrastructure as a Service (IaaS), IAM (identity and access management), and BSS (accounts) and then head of the Strategic Insights team for Public Cloud Research (covering all of Infrastructure as a Service and Platform as a Service). I moved from there to SAP Leonardo Services where I took the position of a Blockchain Design Consultant. This means I’ve been heads down learning all I can about Blockchain and my new company for the last 3 weeks.

Here’s where I have to have a sense of humor around these two seemingly unrelated subjects considering the paradox of Blockchain and GDPR.

To summarize the article, given the immutable state of data in a Blockchain, there is no way to update or delete it. In developer’s parlance, there is no way to perform the UD operations of basic CRUD. In fact, the entire acronym has been updated for blockchain to be CRAB (create, retrieve, append, burn). The problem is, does burn accommodate the “right to be forgotten” and “erasure of data” portions of GDPR? If personal data is in the Blockchain, then the answer is no.

That said, there is a workaround as discussed via creating a hash and a link in the Blockchain that refers back to PII (personally identifiable information) that is stored OUTSIDE of the Blockchain. This results in the PII data only being accessible through an encrypted hash and link to it provided in the Blockchain that can only be decrypted by those who have the key. To ensure the data hasn’t been tampered with, the data retrieved via the link would need to provide its own hash that can be compared with the hash in the blockchain. If the two match, the data has not been modified. This is GDPR compliant because all of the data off-chain can be deleted thus making the hash/link in the blockchain useless. However, the blockchain is then reduced to an access control mechanism to data that remains centrally owned and located rather than a decentralized encrypted transparent immutable replicated ledger of actual data that is owned by everyone.

This results in the following:

The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.” Also, one of the things GDPR states is that data “should be erasable”. Since throwing away your encryption keys is not the same as ‘erasure of data’, GDPR prohibits us from storing personal data on a blockchain level. Thereby losing the ability to enhance control of your own personal data.

If you want to learn more about Blockchain, I recommend this handy product manager’s guide and this how blockchain works article.

As you can see, I may have sipped a bit of the Blockchain Kool-aid.

On top of all of those changes, I also finished a side hustle where I completely redesigned a billing system for a friend’s startup.

In the coming months, I’ll be posting more about Blockchain along with some Machine Learning, IoT, as well as other forms of AI from a user and design perspective along with my ever-present posts on the Internet, privacy, security, gaming, and social media. I imagine the various topics will merge at some point down the line. I’m excited to be here in the edge technologies space. It’s exactly what I told my circle of friends I wanted to work on at the turn of the year. Thank you to SAP for making that a reality.