Patrik Slettman outlines why GDPR and blockchain and TRUE are compatible.
When presenting our SaaS-platform that allows organisations to automatically generate, issue and store blockchain-secured documents, we have found that we also need to explain how we use blockchain for storage in a compliant manner, as the technology is inherently immutable. The problem is, when the topic of Blockchain and Web3 comes up, some people simply turn off and stop listening. If you also add GDRP to the conversation people’s eyes get hazy and they start looking for an exit 😉.
And we get it. We all have different interests. Not everyone is fascinated by latest technology involving data storage. Many of us simply want to know why ‘the new is better than the ‘Old’ – and the rest doesn’t matter. I mean, that’s how I feel about my shampoo – my microwave and even my phone. If they work, I’m good.
With that said, let us take a stab at explaining how GDPR and Blockchain are compatible; in many ways a perfect match.
GDPR Basics
GDPR, or General Data Protection Regulation, is the privacy and data protection regulation that came into effect in EU on May 25, 2018.
The goal with GDRP is two-fold.
1: it aims to facilitate free movement of Personal Data between EU’s States.
2: it establishes a framework for rights of protection for the personal data used and stored.
So how is GDPR laid out to achieve these goals?
Firstly: GDPR is based on the underlying assumption that for each personal Data Point stored, there is at least one legal person, a ‘Data Controller’ – who can be contacted by the person whose Data is stored, to help enforce that person’s rights under EU Data Protection Regulation.
Secondly: GDPR is also based on the assumption that the stored Data can be modified or erased, when necessary, to comply with legal requirements.
Blockchain Basics
For starters, there are many different blockchains. Blockchain is a technology, not a brand, and can vary greatly in complexity and be made for different purposes. At TRUE we use mostly Polygon right now, but we will expand and connect with others in the future.
The technology of blockchain is in essence a distributed database that consists of many storage units (nodes) where you can store code (data). Once data has been stored in a unit, the data can’t be modified. Exactly why that is have been explained well on numerous other websites by experts. To understand that blockchain is compatible with GDPR, all you need to know is that the stored data can’t be changed.
Also, a blockchain can be owned by a company, or without a centralized owner, like the public chains we work with currently.
The goal of blockchain (or a distributed ledger) is to allow digital information to be stored on it, but never changed. Blockchain is an immutable ledger (storage), Which also contains a documentation-protocol for every storage on it (a type of tracking), which cannot be changed or destroyed.
Blockchain + GDPR = TRUE ❤️
Data is stored openly on blockchain, but we make sure to first encrypt it, before uploading it. Encryption can be done in many ways. At TRUE we use an encryption called SHA3 (or SHA256). After encryption, what is uploaded on the chain is a string which in itself has no value or meaning.
All organisations using TRUE, function as the ‘Data Controller’ (see GDPR above) and can easily remove all transaction-data which connects a person to the encrypted data on the chain. This will render the data stored on the chain completely useless. What is left there ‘forever’ is an indecipherable string – which can never be read again. To change a document issued with TRUE’s technology, the faulty documents first needs to be removed, then a new and correct one can be issued (we also make sure that the same document can never be issued twice).
TRUE clients can remove personal data (and documents) if a Recipient requests their data/document to be removed. Everything done in TRUE dashboard is always tracked and logged, so that if something “weird” were to happen, it is easy to look in the log and track why something happened.
Advantages of blockchain
The advantages of using blockchain in this way are many; most argue that security and privacy are much greater using blockchain than any regular database.
Blockchain technology is already disrupting -and will continue to change industries of all kinds. From Supplychain Management, to Banking and Fintech, Healthcare, Insurance, and of course: Document Management.
Regardless of the type of chain, if it’s a decentralized like Ethereum or Polygon, or owned and managed by a company like IBM (Hyper Ledger), the use cases and implications of the technology are vast, and growing.
Blockchain in itself is not an obstacle to following data rules or other regulations. It’s simply a technology that is best used by people with good intentions, much like many other technologies today.
Documents posted online
The technology of posting documents online and securing the meta data using blockchain is fairly new, and allows for new possibilities. For example, many people can view a document posted online at the same time, and it cannot be lost, stolen or falsified.
(A published document. When logged in, Recipients can select to watch a video (in the green bar at the top) which explains how to use the digital Diploma.)
The Recipient of the document can choose if it should be public, or set behind a password. At TRUE, we have also created an in-between status of documents; where the 1:st page is public, but the pages behind which can contain more sensitive information, are hidden. This feature is liked by University Students, who can show and share that they graduated from a school, but can hide their grades for example, only letting selected people see the full document. (Document with restricted access (pages behind the 1:st are hidden.)
(Password Protected Document.)
Recipients in full control
When receiving a document (and any time after) the Recipients can hide the published document behind a password. For anyone to view it, the Recipient needs to send them both the link to the document, as well as the password to access it. Here is what it looks like when Receiving a Diploma:
(Before a Recipient can use a document they need to accept GDPR and choose to keep the document Public or Hidden.)