The increasing emphasis on data privacy gained widespread attention last year with the enforcement deadline of the General Data Protection Regulation (GDPR). Regardless of your perspective on GDPR and its impact on enterprises, the need for organizations to provide more robust solutions to protecting customers’ data is only going to escalate as data sources continue to proliferate and the regulatory environment continues to evolve. While many organizations remain in the early stages of determining if and how blockchain fits into their digital transformation plans, the role blockchain can play in driving toward improved data privacy in addressing regulatory requirements such as GDPR could serve as an additional factor in their considerations.
Blockchain is among the most disruptive of the high-profile technologies that are being used today to help enterprises transform, and it is certainly one of the technologies with the most intriguing outlook for enterprise security leaders. Blockchain brings a range of data integrity-enhancing capabilities that should be appealing to most information security professionals, such as the ability to manage the identify of users, leverage tokens to build trust among all parties and make it impossible for hackers to access a trove of information in a single repository due to the decentralizing recordkeeping. Respondents to ISACA’s Digital Transformation Barometer identify artificial intelligence and big data as the technologies with the most transformational potential, but the considerable amount of hype blockchain has receives is good with good reason – there is real potential for blockchain to revamp business models and create unprecedented business efficiencies. These capabilities, though, can only come to fruition if the proper governance, risk and compliance considerations are accounted for, and if the implications of blockchain deployment are workable within the context of the evolving regulatory landscape, most notably including GDPR.
Private and Permissioned Blockchains Particularly Promising for GDPR Compliance
On that front, a recent report by the European Parliamentary Research Service provided some interesting context. As the report notes, “blockchain technologies are a data governance tool that could support alternative forms of data management and distribution and provide benefits compared with other contemporary solutions. Blockchains can be designed to enable data-sharing without the need for a central trusted intermediary, they offer transparency as to who has accessed data, and blockchain-based smart contracts can moreover automate the sharing of data, hence also reducing transaction costs. Furthermore, blockchains’ crypto-economic incentive structures might have the potential to influence the current economics behind data-sharing.” Despite the considerable upside, there are certainly challenges and nuanced use cases to work through. The report makes it clear, for example, that private and permissioned blockchains are better suited to comply with GDPR than permission-less blockchains. And more generally, there is not a single, clear-cut verdict on whether blockchains as a whole are GDPR-friendly, meaning individual use cases must be investigated and vetted on their individual merits.
Blockchain Brings the Potential for Automation, Clarity and Integrity
But while many open questions remain in terms of how blockchain fits into the modern regulatory landscape, it is clear that blockchain presents new opportunities to strengthen enterprises’ approach to data governance and data privacy. Addressing a variety of GDPR challenges, such as data subject consent management, can be managed through the introduction of blockchain, similarly to the contract management case. There are several other use cases to consider, such as the serving of data subject rights in environments in which many organizations and individual stakeholders are involved (from controllers to processors and subprocessors). In these instances, blockchain is capable of providing the automation, clarity and integrity required.
In the bigger picture, information security professionals need to embrace a future-minded approach, recognizing that the security programs of the past decade, in many cases, will not be sufficient to position their enterprises for success going forward. This mindset should not only apply to improving business results, but must also extend to the growing challenge of keeping pace with the increasing demands of the regulatory environment. Similar regulations to GDPR are being enacted around the globe, as the need for robust data privacy knows no geographic bounds. These evolving requirements provide all the more incentive for enterprises to explore what blockchain and other emerging technologies can do to strengthen their security programs and better position their organizations to meet current compliance requirements as well as prepare for the compliance challenges of the future.
Editor’s note: This blog post originally published in CSO.