Much of the discussion to date around blockchain and distributed ledger technology (DLT) has been about making data more secure. This is unsurprising given that the technology is designed to ensure:
- Immutability – each block in a transaction is ‘linked’ to the previous chain via encryption;
- Security – encryption and distributed ledgers make it safer than centralised databases; and
- Transparency – anyone with access to the ledger can view the transactions in the ledger.
Further, it is not always clear whether the application environment in which DLT is intended to operate enables compliance with related privacy regulation. For example, GDPR Articles 12 – 22 set out data subject rights including rights of access, rectification, erasure, restriction and portability. The blockchain principle of immutability referenced above would seem to run contra to these data subject rights, if personal data is included in the blocks that make up the chain.
The use of “on-chain and off-chain” deployment models, is an example of how areas of potential regulatory non-compliance can be addressed. This type of hybrid deployment model could be used to keep part of the transaction on-blockchain and any personal data processing off-blockchain. One possible use of on-chain off-chain blockchain technology is identity verification. Where an organisation is subject to know your customer (KYC) regulations, blockchain and DLT technology could be used to verify a prospective customer’s identity, without the need to collect, store or process any personal data to verify such identity.
In this case, the personal data required to validate an individual’s identity, will be confirmed by a trusted third party and held by the individual in an encrypted digital wallet. The organisation wishing to verify the customer’s identity for the purpose of KYC, would use public key/private key authentication to verify the individual’s identity, without ever having to further process this personal data in the form of identity checks with for example, credit reference agencies.
A digital identity solution of this kind would be very attractive to organisations who might wish to supply or market goods and services to consumers, but who are also keen to ensure, to the greatest extent possible, that their KYC processes remain outside the scope of the GDPR and other related data privacy legislation. However, this would require the organisation to “trust” the validity of the personal data held in the digital wallet, so some form of authentication or certification of trusted third parties would be required.
Does this not then defeat the purpose of blockchain and distributed ledger technology if not all data is stored on the blockchain and the very information that is most important to protect i.e. personal data for the purposes of identity verification, still sits on a centralised database albeit with a ‘trusted third party’?