Blockchain solutions for commercially sensitive data and data protection compliance
Data is a precious commodity in any industry, but exploiting its value with blockchain raises commercial and compliance issues that have the potential to significantly hinder blockchain adoption if left unaddressed.
Blockchain never requires a company to reveal more data than it is comfortable with. In fact, the cutting-edge obfuscation techniques that blockchain offers can unlock new possibilities in any industry that were not previously possible. Technologies will be chosen depending upon the degree of confidentiality and functionality required.
Blockchain solutions for commercially sensitive data and data protection compliance:
1. On-chain/off-chain configurations and hashing: Basic protections, such as on-chain/off-chain configurations, and only storing hashed data on the blockchain
2. Role-based access controls: Role-based access controls on the blockchain for selective obfuscation of data
3. Zero-knowledge proof: Where users can prove their knowledge of a value without revealing the value itself
4. Homomorphic encryption: Where data is encrypted before sharing on the blockchain, where it can be analysed without decryption
The curve figure in the article offers a simple illustration of how these technologies compare today, both in terms of complexity (ease of adopting the technology) and sophistication (the ability to perform data analysis and enable more flexible and open sharing of data stakeholders).
The more complex the technology becomes, the more trade-offs are experienced, including:
– Limited transaction speed30
– Limited payload size
– Higher transaction costs (in terms of computing power), and
– Risk of irrelevant data being included in the payload
The General Data Protection Regulation (GDPR) brings to bear six principles on personal data, which are that the data must be:
1. Processed fairly, lawfully and in a transparent manner (e.g. being clear about how the personal data is processed in a privacy policy and upholding data subject rights)
2. Adequate, relevant and limited to what is necessary (e.g. collecting only personal data that is necessary for the processing)
3. Collected for a specific, explicit and legitimate purpose and processed for that purpose only (e.g. processing the personal data only as set out in the privacy policy)
4. Accurate and up-to-date (e.g. updating the personal data so it is accurate on an ongoing basis)
5. Kept in a form that permits identification of data subjects for no longer than necessary (e.g. ensuring that retention periods for personal data are reasonable), and
6. Processed in a manner that ensures appropriate security of the personal data (e.g. keeping the personal data secure, accessible only to authorized individuals etc.).
Reference: WEF
