Data privacy versus data security: why is it so hard to have both?
The General Data Protection Regulation (GDPR) came into force in May 2018 and the California Consumer Privacy Act (CCPA), the US’s first state data privacy law, took effect on January 2020. These data protection rights, regulations and laws do a lot to address ongoing threats to personal privacy and data.
At the same time, distributed ledger technologies (DLT) like blockchain, innovated new approaches to securing data. However, the two movements – each aiming to deliver security and privacy in distinct ways – face complex and sometimes contradictory challenges as they come together.
Security through Immutability
To protect data from the increased threats of the digital era, blockchain and other DLT secure data by making it immutable. How does it do this? Once an action or transaction takes place, it creates a digital record that cannot be altered or falsified.
“One source of truth” emerges – eliminating the risk that anyone can add or share inaccurate, fraudulent or inconsistent data. This means anyone that uses it can transact with confidence; assured that the data they are relying on is accurate and reliable and that access has been, and will continue to be, fully protected.
Newer and more advanced DLT configurations deliver even greater privacy. Through “permissioning”, they clearly identify every user and can use it to obscure sensitive ledger data from public view. Built-in rules govern user behaviors: only authorised participants can join and read and only the network operator can write and commit. It’s hard to imagine data being any more secure than in immutable records with a permanent audit trail and controlled access.
The challenge is data protection. Why is this? How could optimal security not advance data protection? Let’s examine this in greater detail.
The right to be forgotten
Under GDPR, people (as data subjects) control the data held about them. They have a legal “right to be forgotten”. Organisations must erase personal data records on request and comply with retention and document validation periods. This creates an interesting dilemma. How can records be deleted from an immutable infrastructure?
The United States faces this data erasure challenge as well under new regional laws. Similar to the EU-wide GDPR, California rules require businesses to respond to requests from consumers to delete their personal information within specific timeframes. Among other data protection requirements, the CCPA grants “the right to delete” personal information to California consumers and businesses with gross annual revenues in excess of $25 million are obliged to comply.
While CCPA obligations may differ slightly from GDPR rules, for example, each may define personal information differently and vary in areas such as verification of consumer requests – both create similar data security and protection rights challenges for document technology.
How permissions work
Two practices resolve the issue: key management and permissioned access.
Cryptographic key management is one of the core elements of blockchain DLT. DLT encrypts and distributes data among numerous participants, meaning that anyone who wants to later process the data, must first decrypt it using a dedicated unique key that can only be granted at the moment of data / document publication. A well-designed key management system limits access to solely the data subject (publishing the information or document) and the service supplier (requiring the information or document). Layers of technology, including biometric identifiers, voice recognition and passwords, can further protect it.
An organisation that uses blockchain to control user access through a robust key management system both defines key permissions and limits access at the time of creation. The organisation can set the rules it needs to define if and how permissions can be granted and revoked. It can be user friendly and simple. For example, it can allow the original user to delete or revoke access rights to particular parties. The key owner whose access has been revoked could no longer access, read, or process the personal data in question. Personal data and private information would not linger any longer than necessary (or required to meet regulatory obligations). It would have essentially been ‘removed’ from those who had access before.
Tactical cyber defense within blockchain
But if the data hasn’t actually been deleted, how can it be protected in the event of a cyberattack? The fundamental breakthrough is putting data “on chain” rather than in an unprotected meta-data layer (that can be decrypted by others).
Secondly, it is vital to decompose the data as random, not personal, data. Any attacker would then face greater obstacles than simply cracking three layers of encryption to find the data, as only users with access to the key could ever hope to read it. A final technique is decomposing and encrypting each field of data so any attacker can only target random fields (that may or may not reflect the attacker’s true goal). An attacker would struggle to find where to attack and would receive insufficient returns to justify the effort.
These practices effectively protect and secure data through immutability. Without actually erasing data, blockchain grants users the “right to be forgotten” though an alternative approach.
Protecting customers and advancing compliance
Users expect and deserve their data to be protected from cyberattacks and security breaches. They also need to know that their personal data cannot be accessed or used for purposes not previously agreed to such as unsolicited marketing calls or even fraudulent activities. Fear of tampering may deter users from accessing digital services. Organisations that manage or access data need to be able to offer data-safe solutions that support their business goals and advance their regulatory compliance.
Firms that use blockchain databases need simple, clear ways to assure customers that they can control their personal data and that it will always be protected in accordance with GDPR. A new generation of permissioned DLT holds promise to not only support data security but also to meet users’ need to control their data in compliance with GDPR and other regulatory requirements.