Blockchain in the compliance arsenal
By Mervyn Mooi, Director at Knowledge Integration Dynamics (KID)
Amid growing global interest in the potential for blockchain technology to support data management, enterprises may be questioning its role in compliance, particularly as the deadline looms for compliance with the European Union General Data Protection Regulation (GDPR).
For South African enterprises, compliance with the Protection of Personal Information (POPI) Act, alignment with the GDPR are a growing concern. Because GDPR and POPI are designed to foster best practice in data governance, it is in the best interests of any company to follow their guidelines for data quality, access control, lifecycle management and process management - no matter where in the world they are based.
At the same time, blockchain is attracting worldwide interest from a storage efficiency and optimisation point of view, and many companies are starting to wonder whether it can effectively support data management, security and compliance. One school of thought holds that moving beyond cryptocurrency, blockchain’s decentralised data management systems and ledgers present new opportunities for more secure, more efficient data storage and processing. However, there are still questions around how blockchain will align with best practice in data management and whether it will effectively enhance data security.
Currently, blockchain technology for storing data may be beneficial for historic accounting and tracking/lineage purposes (as it is immutable), but there are numerous factors that limit blockchain’s ability to support GDPR/POPI and other compliance requirements.
Immutability pros and cons
Because public blockchains are immutable, once data is stored in blockchains, it cannot be changed or deleted. This supports auditing by keeping a clear record of the original, and every instance of change made to the data. While blockchain stores the lineage of data in an economical way, it will not address data quality and integration issues, however.
It should also be noted that this same immutability could raise compliance issues around the GDPR’s right to be forgotten guidelines. These dictate the circumstances under which records should be deleted or purged.
In a public blockchain environment, this is not feasible. Indeed, in many cases, it would not be realistic or constructive to destroy all records, and this is an area where local enterprises would need to carefully consider how closely they wanted to align with GDPR; and whether encryption to put data beyond use would suffice to meet GDPR right to be forgotten guidelines.
Publicly stored data concerns
In addition to the right to be forgotten issue, there is the challenge that data protection, privacy and accessibility are always at risk if data is stored in a public domain such as the cloud or a blockchain environment. Therefore, enterprises considering the storage optimisation benefits of blockchain would also have to consider whether the core and confidential data is locally stored on private chains, and more importantly, whether those chains are subjected to security and access rules and whether the chain registries in the blockchain distributed environment are protected and subject to availability rules.
Blockchain environments also potentially present certain processing limitations: enterprises will have to consider whether blockchain will allow for parts of the chain stored for a particular business entity such as a customer (or its versions), to be accessed and processed separately by different parties (data subjects) and/or processes.
The data quality question
The pros and cons of blockchain’s ability to support storage, management and security of data in the environment is just one side of the compliance coin: Data Quality is also a requirement of best practice data management. This is not a function of blockchain and therefore cannot be guaranteed by blockchain. Indeed, blockchain will store even unqualified data prior to its being cleansed and validated. Enterprises will need to be aware of this, and consider how and where such data will be maintained. The issues of data integration and impact analysis also lie outside the blockchain domain.
IDC notes that ‘While the functions of the blockchain may be able to act independently of legacy systems, at some point blockchains will need to be integrated with systems of record’, and says that there are therefore opportunities for ‘blockchain research and development projects, help set standards, and develop solutions for management, integration, interoperability, and analysis of data in blockchain networks and applications’.
While blockchain is set to continue making waves as ‘the next big tech thing’ it remains to be seen whether this developing technology will have a significant role to play in compliance and overall data management in future.