Capability: Network & Infrastructure Services

Data Governance is our priority when designing a data management solution. The significant contradictions between blockchain technology and The European Union’s General Data Protection Regulation (GDPR) arouse vigorous discussions in the industry. In contrast, European Parliament highlights that it can be a suitable tool to achieve some GDPR objectives.

Make sure to read blockchain technology’s features and strategic business values, as we now explore how blockchain technology changes the game in data governance as more governments experiment with new operations.

Contradictions between blockchain technology and GDPR

The study “Blockchain and the General Data Protection Regulation”, written by European Parliament, highlights several paradoxes in the fundament of blockchain technology and GDPR:

• Data Controller
  GDPR assumption: Data is centralised on at least one or legal person.
  Blockchain technology concept: Data is decentralised to multiple nodes.
• Data Modification
  GDPR assumption: Data can be modified or erased where necessary to comply with Articles 16 (Right to rectification) and 17 (Right to erasure).
  Blockchain technology concept: Data is immutable and stored in the append-only database to ensure data integrity and increase network trust.
• Data Process
  GDPR requirement: Personal data to be kept to a minimum and only processes data purposefully specified in advance.
  Blockchain technology concept: Databases grow continuously as new data is added.

The study also underlines different forms of distributed databases. Hence the compatibility between distributed ledgers and the GDPR is determined by a case-by-case analysis that accounts for the specific technical design and governance set-up of the blockchain use case.

The above analysis leads to two overarching conclusions:

• Blockchain use cases’ technical specificities and governance design can be hard to reconcile with the GDPR. Therefore, blockchain architects must be aware of this from the beginning and ensure their design complies with GDPR.
• It also stresses the current lack of legal certainty on how blockchain can be designed to comply with the regulation – Not just due to specific features of this technology but also highlights significant conceptual uncertainties related to GDPR.

How can blockchain technology achieve GDPR objectives?

There was an ongoing policy debate in European Parliament on this topic. Their report in 2018, Blockchain: A Forward-Looking Trade Policy, pointed out that ‘blockchain technology can provide solutions for the ‘data protection by design provisions in the GDPR implementation based on their common principles of ensuring secured and self-governed data.’ Recital 7 GDPR foresees that ‘natural persons should have control of their own personal data.’ This rationale is based on the data subject rights, such as the right of access (Article 15 GDPR) or the right to data portability (Article 20 GDPR) that provide data subjects with control over what others do with their data, and what they can do with that personal data by themselves.

At the 52^nd Hawaii International Conference on System Science in 2019, a group of experts proposed a multi-layer blockchain system which can provide users with complete data transparency and control over their data. European Parliament commented that this solution would help comply with the right to access (Article 15 GDPR) and grant a fundamental right to individuals to access their personal information. This looks like a significant move in blockchain because European Parliament recognises the new standards. We believe more corporates are willing to explore the feasibility of applying blockchain in their business, and experimental cases will be boosted out in the market.

Blockchain applications in European Union

Estonian eHealth Patient Portal
Estonia is one of the first governments to embrace blockchain technology. Estonian eHealth Patient Portal, a blockchain-based infrastructure, has been used by their eGovernment to give individuals more control over their health data. A patient can authorise access to their data. By default, medical specialists can access data. However, a patient can deny access to any case-related data to any care provider, including their own general practitioner/family physician.

MyHealthMyData
MyHealthMyData is a project funded under the EU Horizon 2020 scheme that uses blockchain technology to create a structure where data subjects can allow, refuse and withdraw access to their data according to different cases of potential use. Further research can build on this project to determine whether blockchain technology can achieve GDPR objectives and create a benchmark for the industry.

Blockchain Roadmap of the UK Government

The UK Government is endeavouring to develop blockchain use cases and governance.  A report by the UK Government Chief Scientific Adviser in 2016 acknowledged that Distributed Ledger Technologies could help governments collect taxes, deliver benefits, issue passports, record land registries, assure the supply chain of goods and generally ensure the integrity of government records and services. In the NHS, technology can enhance health care by improving and authenticating the delivery of services and by sharing records securely according to exact rules.

Yet, effective governance and regulation are critical to successfully implementing distributed ledgers. Law will need to evolve in parallel with the development of new technology applications.

HM Revenue and Customs started a trial on social welfare payment distribution in June 2016 to track the distribution of benefits. They are still working with a UK start-up to integrate blockchain technology into supply chains to increase efficiency and security.

Department for Work and Pensions studied the first full production implementation, such as Santander’s One Pay FX, a blockchain-based international payments service to retail customers in multiple countries. The benefits include reducing transaction time, cost and failure rate whilst data is stored on a secure, immutable ledger.

Conclusion

Though there are significant tensions between the nature of blockchain technology and the legal frameworks surrounding data privacy, blockchain technology can be an alternative form of data management system for you to achieve particular data governance objectives, depending on the system architecture. With more governments recognising the benefits brought by blockchain, we believe blockchain technology can be compatible with data privacy law.

Despite the legal framework of GDPR being built on the fundament of a centralised database system, corporates should be more familiar with the regulations; they can face catastrophic data breaches and hefty fines in light of weak security layers. Data breaches of British Airways in 2018 and Marriott in 2020 were considered case studies.

British Airways was fined £20m for a data breach which affected more than 400,000 customers. A subsequent investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at the time.

Marriott International was fined £18.4m for a data breach that exposed 339 million customer records in 2018, caused by poor data management policies and unencrypted sensitive data. An investigation by the Information Commissioner’s Office found the hotel giant “failed to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the GDPR.”

In other words, a robust security system is essential to data protection, not the technology itself.

Other than data privacy law, Financial Stability Board intends to implement its first recommendations on global crypto regulation in early 2023. This powerful regulation may provide more clarity for the crypto businesses on how to set up the blockchain system. Let’s follow the latest news on the regulation.

Our upcoming discussion focuses on how blockchain can improve cybersecurity and impact different business cases.

How CACI can help

Our experts can advise you on the best practice for managing your data under your regulatory requirements. We help large enterprise organisations define and execute data standards, policies and strategies.

Get in touch with us today.

 

Notes:
[1] Blockchain and the General Data Protection Regulation (europa.eu)
[2] Article 16 & 17: Right to rectification (gdpr.org)
[3] REPORT on Blockchain: a forward-looking trade policy | A8-0407/2018 | European Parliament (europa.eu)
[4] BPDIMS:A Blockchain-based Personal Data and Identity Management System (researchgate.net)
[5] Estonian Health Records to Be Secured by Blockchain – Bitcoin News
[6] Personal control of privacy and data: Estonian experience | SpringerLink
[7] My Health My Data
[8] Distributed Ledger Technology: beyond block chain (publishing.service.gov.uk)
[9] GovCoin Systems Implements Social Welfare Payments Distribution Trial for UK’s Department for Work and Pensions | Business Wire
[10] Transforming for a digital future: 2022 to 2025 roadmap for digital and data – GOV.UK (www.gov.uk)
[11] Santander One Pay FX, a blockchain-based international money transfer service – (enterprisetimes.co.uk)
[12] The changing world of payments – DWP Digital (blog.gov.uk)
[13] British Airways fined £20m over data breach – BBC News
[14] Lessons learned: the Marriott breach – Infosec Resources (infosecinstitute.com)
[15] Marriott Fined £18.4m Over Data Breach – Infosecurity Magazine (infosecurity-magazine.com)
[16] FSB ready for rapid rollout of global crypto standards (ft.com)

Blockchain technology has revolutionised an array of fields including financial services, supply chain, healthcare and the Internet of Things. In the first of a series of blogs exploring blockchain, we look at the key areas to consider before deciding to invest in blockchain – an overview of the technology, its business applications and strategic business values.

What is a blockchain?

A blockchain is a shared, decentralised database that uses Distributed Ledger Technology (DLT) to store data in a succession of segments called blocks. After the latest block is filled, it is cryptographically connected to the previous completed block. The data chain created is called a blockchain.

How does it work?

What types of blockchain are there?

Public blockchain
A public blockchain is non-restrictive and permissionless. Any internet user can register on a public blockchain platform and become an authorised processing and storage node. All nodes in the network have equal rights to access, create, and validate the data in the blockchain. Bitcoin and Ethereum are the most well-known public blockchain platforms dealing with cryptocurrency.

Private blockchain
A private blockchain works in a restrictive environment and is governed by one organisation which determines node access, executes the consensus protocol and maintains the shared data. A private blockchain typically runs within an organisation’s network to cope with highly confidential data and is held securely. Audit management and asset control are common use cases of private blockchain.

Hybrid blockchain
A hybrid blockchain combines characteristics of both public and private blockchains to control access to specific private data held on a public blockchain. For instance, property companies use hybrid blockchains to run systems privately but disclose certain transaction information to the public.

Consortium blockchain
Consortium blockchains are a type of private blockchain managed by multiple organisations rather than one entity. Supply chain management, especially for food and medicine, is an ideal application for this type of blockchain – from sourcing to delivery, all parties involved in the supply chain can form a consortium to track the product status.

The advantages of blockchain

Decentralised trust
Users no longer rely on centralised intermediaries to complete transactions. By storing data in a peer-to-peer network, every node has the same data and authority to view all transactions. There is no single point of control.

Enhanced security
Cryptographic hashing, which converts arbitrarily large amounts of data into a short unique string of text, plays a crucial role in blockchain security. A hash value is automatically calculated for each block and consists of the block’s ID number, user ID number, previous block’s hash value, timestamp and other details. Employing hashing in this manner makes it impossible to change any data held in the block, metadata about the block, or its position in the chain without having to recompute that and every subsequent block in the chain.

High level of data integrity
From the verification process to storing transactions, data is verified by a consensus algorithm specific to the blockchain protocol. Any invalid data is rejected, protecting the chain from human error. The integrity and security of blockchains make them immutable, transparent and unimpeachable.

Disadvantages of blockchain

Uncertain legal and regulatory environment
Blockchain technology is still developing and the principles of existing regulations may not accommodate the fundamentals of blockchain. For instance, General Data Protection Regulation (GDPR) assumes data is centralised on at least one legal entity, while blockchain decentralises data storage to an anonymous network of nodes. Blockchain technologists should study the regulations thoroughly before implementation.

Novel cyber-attacks
Blockchains are not immune to cyber-attacks and all new technologies have undiscovered vulnerabilities. Attacks such as the following are effective against blockchain:

• a 51% attack – where more than half of the nodes computing a chain are influenced by a bad actor
• a Sybil attack – where a single entity creates multiple dummy nodes to wield disproportionate voting power
• DDOS – where nodes are flooded with connections which block out legitimate traffic

There are no quick solutions to safeguard your systems, blockchain technologists can implement careful plans on system architecture and design to pre-empt cyber-attacks.

High energy consumption and data storage cost
Older blockchains, such as Bitcoin, validate blocks using a Proof of Work consensus algorithm in which all the nodes compete to compute a completed block in exchange for an administrative payment. Only one node can win resulting in all the partial computations being wasted. This amounts to a tremendous waste of electricity. More modern blockchains employ Proof of Stake, which is much more efficient, but migrating from one protocol to the other is extremely complicated. Blockchains ledgers – the data chain – are replicated at least in part to every node. By 2021, the Bitcoin ledger had reached 433GB [1] and the Ethereum ledger close to 1TB [2]. Given node counts in the thousands, even partial replication represents vast duplication across the world.

Considerations before you implement blockchain

Business needs
Before you implement blockchain technology, we strongly advise your team to evaluate existing business models and needs. Businesses that require a high level of data integrity and traceability are more likely to apply this. Investing in blockchain technology is worthwhile if the application transforms your user experience, democratises governance or reduces overall cost; but it is fundamentally a distributed database.

Integration concerns
Given that most organisations rely on legacy systems to run their business, careful technical analysis is essential to ensure that blockchain systems can integrate successfully with the existing estate.

Privacy issues
Logical layers in a blockchain system are the key to complying with privacy regulations. Stakeholders should examine the interactions between different layers – how the data is stored, accessed and transacted in the system.

Cost and revenue analysis
Enormous investments in setting up a blockchain system – such as infrastructure, data storage and maintenance – often create barriers for organisations to get involved. However evaluating its strategic business values can change your mind. Let’s take some examples from The Blockchain 50, named by Forbes [3] :

• Allianz streamlines cross-border auto insurance claims in Europe. Processing time for insurance claims has been reduced from several months to minutes and costs have fallen 10%. The quick claim procedure absolutely contributes to a high customer satisfaction level and customer retention. No wonder Allianz has led in the claims category with a satisfaction score of 76.04%, according to Brokerbility’s survey. [4]
• Boeing builds a digital aircraft record system to help airlines keep up with required maintenance, saving 25% on maintenance costs, potentially worth up to $3.5 billion (~£2.96 billion) annually.[5]
• De Beers has registered over 400,000 gems worth $2 billion (~ £1.6 billion) to provide immutable records of a gem’s origin, to track it along the supply chain and improve jewellery retailers’ confidence in procurement. [6]

Scalability
As more nodes join a blockchain network, latency and convergence can increase. Compare the transaction speed between Bitcoin, the oldest and biggest public blockchain network which can only process 7 transactions per second, and Visa, a centralised electronic payment network which can handle more than 24,000 transactions per second [7].

Scalability is a challenge in setting up a public blockchain, but there are several options to enhance it:

• Data Sharding – Data sharding splits an extensive blockchain network into smaller, more easily managed parts called shards. A node does not need to rely on the whole database to verify and process a transaction. Instead, all nodes work in parallel, resulting in more efficient transaction throughput.
• Off-chain data storage – Transactions can be completed on the blockchain network, and data is stored in the off-chain environment to reduce the on-chain storage requirements.
• Scalable consensus mechanisms – The Proof of Work consensus protocol in Bitcoin provides a high-security mechanism but a long transaction time. Proof of Stake consensus mechanism is a possible solution to speed up transaction time and higher scalability.

Conclusion

To decide whether to invest in blockchain technology, your team should ascertain whether your business needs will be best met by using this approach and explore cost and revenue impact as much as possible. Equally, you should consider the disadvantages of blockchain technology such as potential cyber-attacks, high energy consumption and scalability concerns to decide how to address each of them. Blockchain technology is not the only way to perform full data transparency or traceability – well-managed centralised databases can solve it.

Blockchain technology changes how we trust and solve problems in a traditional database system, like disintermediation and data security enhancement. It can optimise the operation in low-trust environments where users rely on third-party checks.

An insight written by McKinsey Digital [8] analysed the monetary impact in more than 90 use cases; they estimated that approximately 70 per cent of the value at stake in the short term is cost reduction, followed by revenue generation and capital relief. Cost can be taken out by removing intermediaries and administrative efforts on housekeeping, as well as improvements in transparency and fraud control.

Specific industries that capture the most significant revenue from blockchain are Automotive, Healthcare, Property, Public Sector and Technology, Media & Telecommunications. We believe the value of blockchain will enable brand-new business models and revenue streams over time.

This is the first blog in our new series which aims to help you understand the different aspects of blockchain technology. Over the course of the series, we will discuss how blockchain impacts data governance, cybersecurity and cyber-attacks.

How CACI can help

Equipping your systems with blockchain-compatible elements is a key initial step. Our services enable you to ensure that the foundations are correct and our experts can advise you on network design, architecture, service design, business process, data governance and cybersecurity solutions. Get in touch with us today.

 

Notes:
[1] Blockchain Explorer – Search the Blockchain | BTC | ETH | BCH, statistics as of 23 Oct, 2022
[2] Ethereum Chain Full Sync Data Size (ycharts.com), statistics as of 24 Oct 2022
[3] Forbes Blockchain 50 2022
[4] Allianz tops the ranks in Brokerbility’s insurer partner satisfaction survey (insurancetimes.co.uk)
[5] Boeing supports TrustFlight aircraft maintenance project using blockchain – Ledger Insights – blockchain for enterprise
[6] De Beers group introduces world’s first blockchain-backed diamond source platform at scale – De Beers Group
[7] Small Business Retail | Visa
[8] The strategic business value of the blockchain market | McKinsey