Tech manias always end, often with a whimper, but sometimes with a hard slap in face.
The current blockchain frenzy seems to be on the verge of a rude awakening. The core issue is not whether the technology can address the myriad issues surrounding its performance, scalability, security, and flexibility. Rather, it concerns whether its fundamental architecture—that of a shared, distributed, and immutable recordkeeping system—can pass muster with regulators in the European Union (EU).
Companies everywhere are racing to comply with the EU’s General Data Protection Regulation when it goes into full effect on May 25, 2018. GDPR will have a major impact on how global enterprises store, share, and use customer data. It is a legal framework for managing personally identifiable information (PII) of the residents of EU member nations. The regulation applies to any company holding such information, even those based in the US and other non-EU nations. The regulation requires that organizations that hold such data give individuals the right to request that it be deleted, corrected, and withheld from uses to which they haven’t consented.
The hard reality is that GDPR will impose significant financial penalties —fines up to €20 million or 4 percent of global revenues, whichever is higher—for failure to provide EU citizens with the rights to delete and correct their PII.
If you’re even remotely familiar with blockchain, you know that the GDPR requirements run contrary to its core architecture. A blockchain is an unchangeable historical record that’s distributed across many computers. This means that once a record is written to a blockchain, it can’t easily or feasibly be deleted or altered. One observer refers to this as “CRAB” (create, read, append, burn), in contrast to the “CRUD” (create, read, update, delete) architecture of the typical transactional database.
How to think about GDPR in enterprise blockchain deployments
How is GDPR likely to shape enterprise adoption of blockchain? If you’re an enterprise IT professional who has already implemented or are evaluating blockchain, you may respond in any of the following ways:
No blockchains, period
The financial risks of GDPR noncompliance will cause many companies to have second thoughts about deploying blockchain for any application. If you consider how many blockchain projectsinvolve PII (such as for managing digital identities, digital contracts, and digital notary services), this is a serious issue that may stop the blockchain mania in its tracks.
No public blockchains
For managing PII and other data domains, enterprises may choose to limit their usage of blockchains to those that are purely private or “permissioned.” This refers to any blockchains they might deploy internally or those in which they participate that are maintained by a closed consortium or community, such as the Ripple blockchainfor global payments among financial services providers.
Deletions and alterations are more feasible in a private blockchain than in a public (or “permissionless”) environment (such as Bitcoinor Ethereum), because this involves both arranging an agreement among most network nodes to create a new version of the chain that includes the changes, and another agreement for all nodes to use that latest version rather than the prior one.
No blockchains managing PII
Enterprises may choose to limit blockchain to purely non-PII applications, such as cryptocurrencies, the industrial internet of things, and master data management for product, supply chain, andlogisticsrecords. In such scenarios, the PII may continue to be managed in parallel on entirely separate data platforms (in blockchain parlance, “off-chain”) that allow records to be deleted and altered.
While this bifurcated “on-chain/off-chain” approach may frustrate blockchain advocates’ dreams of becoming the single catch-all distributed store for all enterprise data, it’s not inconsistent with the hybridized nature of many enterprise data environments. After all, many organizations maintain a mix of disparate data stores—including relational, columnar, dimensional, in-memory, key-value, file, document, graph, and so on—for different data domains, types, applications, and usage models.
No PII blockchains that lack self-erasing capabilities
GDPR does not define exactly what erasure of PII means in practice, and it has left this matter to data hosts to interpret in the context of their own implementations and possibly to the various EU member states to clarify in legislation. Depending on whether EU regulators find this acceptable, enterprises may choose to put immutable PII on blockchains, as long as the chains have the ability to make these records self-erasing.
This might involve:
- encrypting PII on the blockchain while maintaining tight control over the secret keys needed to unlock it, with “erasure” simply involving deleting the keys.
- keeping archival versions of since-erased/altered PII intact in a blockchain’s permanent storage, but make them permanently inaccessible to anyone in case the data subject requests that it be deleted or altered.
- incorporating blacklisting mechanisms that refuse to serve older (albeit immutably archived) versions of PII records that have since been deleted or altered.
- only storing references and hashes of PII records—not the records themselves—on a blockchain. This would allow the PII data to be stored separately in a system that allows for deletion, alteration, and other data management capabilities required under GDPR. The immutable hashes would be useful in verifying the existence and veracity of the separately stored PII data, and for flagging the fact that it has in fact been deleted or altered.
GDPR may chill enterprise blockchain efforts around user data
As GDPR starts to take force, one likely collateral damage may be to blockchain initiatives such as Sovrinthat are specifically focused on managing identity records.
Another chilling effect of GDPR may be on the diverse blockchain initiatives in the artificial intelligence spacefor storing and managing data lakes, processing training data, compiling audit logs, and other scenarios that often involve PII data.
And we will almost certainly see vendors such as Salesforcerethink their productization of blockchain, considering that customer relationship management environments exist to manage the entire PII life cycle.
When a regulation is a far-reaching as GDPR and comes from a multinational bloc as central to the world economy as EU, it can’t fail to have ripple effects. Essentially, GDPR throws every aspect of enterprise data stewardship into doubt, including plans to deploy blockchain. Brace yourselves for a turbulent next few years as data professionals, regulators, courts, vendors, and other stakeholders sort this out.