KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Let's have a look at the agenda would like to talk you through a couple of, of points. Would you brief move on the next slide? Yes. So I would like to start with, with the use cases of blockchain technology and the financial sector, the now ed light on the questions, which blockchain player must be considered as controllers or processors. And when it comes to blockchain and the GDPR, I think it's of utmost importance to consider data, subject rights, such as a right to be forgotten and they're effect and enforceability.
The more so between data privacy and the blockchain technology can be broken down in the principles of data, minimization, data, purpose limitation against blockchain finale principle. Would you please move on those next slide please?
Yeah, I will demonstrate how you can bring blockchain technology in line with these data protection principles and with data subject rise. Finally, I will be touching on privacy by design in relation to blockchain. Please move on to the next line. Let's click on with a use cases. Most financial institutions in Germany, I've been evaluating potential business cases for leveraging blockchain. And we have just seen a couple of, of them in our two days conference.
When it comes down to the usage of blockchain technology, these use cases can be put into three buckets care, settlement, cryptocurrencies, and trade finance into including the insurance sector. Broadly speaking, I've observed that blockchain itself is currently not survivor for establishing new business cases in the financial industry.
However, it's a step by step approach. After evaluating the business case, banks are performing case studies such as machine to machine payment applications, crypto fund depository, or crypto fund management. It is one real life example for implementing a blockchain based solution. I've experienced some insurance companies and one public authority created a private blockchain leveraging a smart contract in order to avoid multiple bookkeeping efforts.
The smart contract was designed to calculate the extra pay from the public authority and to optimize amount of the premiums the customers have to pay. The smart contract algorithm was developed to consider these credentials accordingly. It's first to note that unmasked real live personal data of the customers have been put onto the chain only accessible for authenticated insurance companies. Unfortunately, the project hasn't left the proof of concept stage two to substantial privacy concerns. Please move on the next slide. Exactly.
So what are the roles of the blockchain players under the GDPR? The regulations that's out a predefined and limited number of roles and responsibilities such as data controller, joint controller and processor. It's first to have a quick look at say legal definition of controllers versus processors. What is a controller controller is on tool or legal person.
I know that it's very boring, but I think it's it's to, to have this in mind, which alone or childly when others determines the purposes and means of the processing activity Beki in my purposes and means, whereas a process is considered as in a tool or really person which processes personal data on behalf of the controller that are some similar similarities to the legal terms defined under the Californian privacy regimes, the CCPA, there are various actors in the blockchain environment, which have a specific role to play that comes down to the problem.
To what extent the roads defined in the GDPR may be associated to them. Let's shed light on the key actors in the blockchain network, which are minors, blockchain users, or participants and developers of smart contract. There are many more I showcase on this slide. Let's start with a minors. What is mining? Mining is act of solving a mathematic puzzle within the proof of C model consensus model, therefore minors validate transactions to be added to the blockchain minors underneath a controllers or pro no processors, then say don't determine the specific purpose of the data processing.
Neither do they carry out services or any, any sort of instructions based on, on, on the instructions of the controller, they only belong to the blockchain network, the blockchain infrastructure without taking over any role under the GDP. Now let's move on to this users. What are users doing? Users participate in transactions within the blockchain network, the clue, which is a French data protection authority, very powerful institution, and the AU blockchain observatory are shortly of the opinion that users act as controller only if they submit personal data to the blockchain.
And this is the key, the, the most important thing here. If this happens to in conjunction with their business or commercial activities, How do developers interact with the blockchain network? Blockchain applications often use smart contract. A smart contract is a software by virtue of an a that once deployed to the chain can be executed without any interference from their developers. According to the canoe, developers have no role to play unless they actively intervene in any data processing activity, or if they have a specific interest in the outcome of such operation. Next slide, please.
How, how do data subjects rights apply to the blockchain? The GDPR comes into play as soon as personal data is being processed. It's worth to know that submitting and storing personal data onto the blockchain is considered as a processing activity. Another GDPR, whenever you keep you put personal data onto the blockchain, the data is being store there. And this is considered as a processing activity. If the storage of personal data can be linked to an individual, the question will arise against whom then a person may exercise expireds.
In that context, you should always distinguish between private blockchain and public blockchains in a private blockchain environment. Governance bodies have been put in place typically to comprising of a limited number of users, which are the perfect target to address any data, subject bias, opposed to private blockchains, public blockchains, much more, a much more problematic things. The data subject faces challenges from two sides. First it's nearly impossible to clearly identify one controller whom the right may be addressed to.
And second to force a controller once identified to perform his or her GDPR related duties, such as providing information to the layer objects. If you turn on the next slide, I will give you a little bit more details on that issue.
Yes, here we are. So let's have a look at three data subject rights, which impose a huge challenge for both the data subject and the control on first, there's the right to access personal data. That right is a basic right. It's a prerequisite for the exercise of any of the other rights, such as a right to delete data. Use the catch here, the issue and a public blockchain environment, any controller is as a matter of fact, not capable to fulfill this obligation with a visa data subject who is requesting data access.
This is because the data is typically encrypted or hashed, and it is impossible to decrypt the data without having the key under control. Irrespective of that, the controller is unable to identify that set of data, which relates to the data subject. Who's raising the particular request lesson point to the right to rectify personal data. That means that individual shall have the right to request rectification of inaccurate or incomplete data, which relates to him or her. That's why it clashes with factual impossibility. That's very important.
The factual important impossibility to modify any data, given that the data is immutable and cannot be altered or changed once, which is start to the blockchain, whatever you put on the chain, it remains there and it's not changeable anymore. Next slide, please. This perfectly takes me to the next most important and most prominent, right? Right. To erase data, you should interpret a ratio very broadly. A includes. The overriding of data was simply making it unusual to put it beyond use. I like the request for rectification. It is at first glance, not possible to delete data from the blockchain.
Given that data written to the chain is immutable. Any data which has been put on the chain remains there.
However, I will show case once solution in a little while when walking you through the options to meet such kind of requests. Next slide, please. On that slide, you may see that blockchain technology is seemingly not in sync. We a principles of data minimization and data and purpose limitation. What are the backbones of any data protection laws globally? I will now elaborate a little bit on these principles in order to better illustrate the war zone between GDPR and the blockchain technology technology. Please move on to the next slide. So what does purpose limitation mean?
Personal data should only be processed for specific explicit and litera limit purposes. Any further processing shall not be permitted. Unnecessary data subject has consented to the new purpose. The regional behind it is to prevent the use of data of individuals in a way they won't expect. What does it mean in the blockchain context, blockchains by nature, continuously processes information, as soon as submitted to the lecture, the issue is what happens if personal data is not needed anymore.
For example, after completing a particular transaction or broadly speaking, if a data processing activity has been finished completed, I call that kind of data legacy data in a nutshell, storing respectively processing, personal legacy data onto a blockchain conflicts with the principle of purpose limitation, since the data must be removed from the blockchain. As soon as the particular processing operation has been completed, please move onto the next slide. This links into the next principle, that principle of data minimization, it comprises of twofolds.
First, there is a data quality aspect, which partly overlaps with the purpose limitation principle only such data, which is necessary to meet the given purpose must be gathered and processed second. And this is a timing, timing aspect embedded in the principle. The period for which the data is being processed must be limited to a strict minimum. Two artifacts of blockchain are clashing that data minimization principle first, there is an ever growing nature of blockchain.
The personal data written on the chain is continuously mirrored in the subsequently added blocks that per C se violates the data. Minimization principle. Second personal data is being replicated in all wallets around the globe. Since all node have a full copy of the database. Next slide, please.
You can, you can see what T you should use in order to reduce any data protection issues in accordance with existing guidance from the kil, the French data protection authority. I recommend to check the following questions in set order.
First, is it really necessary to put personal data onto the blockchain? When the answer is, yes, you should determine the type of blockchain to be used. Private blockchain, sorry. Private blockchains should be the first choice. There's a few to their governance structure, which makes it easier to comply with data subject rights due to the limited number of controllers and processes, irrespective of what kind of blockchain you are using. It is really critical to have state of the art encryption in place in order to safeguard the personal data submitted to the blockchain. Next slide, please.
On this slide, I would like to jump on this third bullet, the usage of innovative encryption techniques, where I recommend to scrutinize the following aspects. Analyzation should always be considered.
Firstly, since it converts personal data to non-personal data, as a result, the GDPR does not apply after getting the data, the personal data anonymized anonymized. Yeah, it is. If this is not feasible, You should use hashing techniques or at least state of the art encryption. Hashing is one of the most effective techniques to encrypt data. But this is the flip side by no means. Hashing may turn personal data into non-personal data. With other words, hashing can never change the nature of personal data. It's only an, an safeguard, nothing more that differentiates hashing from analyzation.
Please move on to the next slide on this. On the next slide, I will be presenting two innovative techniques aiming to mitigate the data protection risks. Both techniques deal with issue on how to handle legacy data. Once again, legacy data is set of data, which is not needed anymore.
It's a, it's a set of personal data without any usage anymore. As a related transaction or the data processing activity has been completed.
However, the data remains on the blockchain since it is mutable, as said, there are currently two remedies in place to be taken into consideration. One remedy boils down to setting up two or more blockchains, which are closely intertwined as shown on this slide.
One, blockchain is a private blockchain, whether transaction or the real time data processing operation takes place. There are some blockchain is a public one where the legacy data is being transferred to as soon as there's no need to use personal data anymore, personal data is being removed from the private blockchain and put onto the public one. This technique makes post chains interoperable and may resolve the scalability issue that Chris Berger pointed out today.
However, the legacy data is still visible on the public blockchain. The usage of multi-layered blockchain is actually not the silver bullet on the journey for achieving GDPR compliance, but it's a great technique, me or good good measure for safeguarding personal data. Please move on to the next slide here on that slide.
I would like to present one technique, which I think is the most straightforward and effective one in terms of resolving the described data protection issues around legacy data, I call it hashing our technique hashing our difference from the multilayered approach as you remove database is not being stored. Another blockchain legacy data is being transferred off chain to an external database. So original retrospectively the reference data is replaced with a placeholder, a hash, which remains on the blockchain and points to the, a reference personal data, which is thought externally.
But here's the downside of that approach. The on chain hash remains on the blockchain and the hash value itself is considered as personal data as described before on the next slide of it's, we will see how we can tackle that issue. Please move on to the next slide.
Yeah, exactly. So if individual races equally a request to erase his or her personal data from the blockchain, the controller can meet that request by transferring the personal data off chain to an external database and deleting it there. The question is what is happening with the hash value, which is still on the blockchain? The answer is that the hash has nothing to relate to after the reference, the personal data has been completely deleted. The hash becomes a random string without any meaning.
It's important to note that is AB added is absolutely impossible to reverse engineer reference data from the hash deleting. The off chain personal data from the external database is a huge impact on the hash value, which then becomes a non-personal data in summary hashing out most likely complies with the principles of purposely mutation and data minimization, and is a present the only measure to meet data requests in a sufficient manner. Please move on to the next slide.
Yeah, we very quickly touch on privacy by design on a very high level explanation. It's an overarching principle of any data protection regimes that businesses adopt security measures from the outset when displaying new applications are like blockchain, the details vary jurisdiction by jurisdiction. Another GDPR controllers must consider data protection, principles and safeguards while developing, designing, selecting, and using applications services and products that are based on the processing of personal data.
This is carried out by implementing appropriate technical and organizational measures from the very beginning, broadly speaking, the privacy privacy by discipl principle requires controller or businesses in the, in the California. We talk about businesses to choose that kind of technology with the least impact on privacy rights of individuals appropriate safeguards must be baked in the technology before its implementation. Next slide, please. As the consequence, the controller must at least encrypt data when submitting it to the blockchain.
I've added two reword use cases where you can see how data protection by design or default privacy by design works out in practice. Please move on to the next slide. Yes.
And this, this slide with this slide, I would like to con to, to conclude my presentation. What are the take the takeaways let's call out three, one or the most swiping takeaways, any tensions between blockchain and the data protection cornerstones can be overcome by using smart and innovative techniques like hashing out and choosing private blockchains rather than public ones. But there are still some tensions which require clarifications from local data protection authorities or from the European data protection board. And now I would like to point to, to the next slide.
This is really the, the final one. I would like to, to point to the handbook of blockchain law, where I'm co-editor and co-author, and which comprises big chapter on the technology, how the, how it works, what are the features of blockchain and some pertaining the legal chapters, which, which deal with all legal areas associated to the blockchain technology? I think that's, it's a new concept and the book is, is brand new, has been released in September last year.
And yeah, in case of any questions, I would like to open the floors for, for KU. Thanks a lot.
