It seems that we are seeing more practical applications of blockchain almost by the day. Now Macro 4, which provides enterprise content management software, has applied the technology to help tackle compliance, releasing a blockchain GDPR solution, Columbus DW 8.4.
Under GDPR, and indeed other privacy frameworks being rolled out across the world, such as in Brazil, Canada and California, the ‘right to be forgotten’ and data redaction, are key elements.
The right to be forgotten’ does itself create a dilemma. How do companies prove they have complied with a data subjects wishes and deleted their personal data in the appropriate way.
Data redaction, which entails removing or replacing certain sensitive data either by anonymising or pseudonymising it, poses its own technical challenges.
The Macro 4 product now uses the blockchain to overcome the challenge of ‘right to be forgotten’ — effectively providing a blockchain GDPR solution. It also provides a data redaction solution.
As Macro 4 said: “One of the core requirements of a legal archive is the ability to capture all the events happening around the documents you’re holding and to validate those events with the same level of integrity and security as the document itself. for example, if customers exercise their ‘right to be forgotten’ under the GDPR you need a reliable record of the fact that you’ve deleted their data.”
Columbus DW provides a fix by providing absolute proof that what should happen has actually happened by recording it on the blockchain.
See also: How can blockchain help companies meet GDPR provisions? – Blockchain technology, as a public, distributed ledger, when applied correctly to data and identity management can help companies meet provisions of the GDPR
Blockchain GDPR: ‘The right to be forgotten’
It does this by introducing the capability to record document-related events using the same tamper-evident hashing mechanism as the blockchain, with the option to trigger business processes or email notifications when events occur. It then enables the same record to be committed to the blockchain to independently verify that the information has not been tampered with.
Jim Allum, Director, Commercial and Technical at Macro 4, explained: “By cross-checking the hashes stored locally, in the Columbus tamper-evident audit log, with the hashes recorded on the tamper-evident blockchain, it is possible to prove conclusively that nothing has been changed.”
Related: The Hub of All Things: Are you collecting personal data the wrong way? – Jonathan Holtby, Community Manager at the Hub of All Things (HAT), explains to Information Age why the way organisations collect personal data is fundamentally broken
Redaction: anonymised and deanonymised data
The product also enables organisations to prevent viewing of sensitive text or images using a variety of redaction methods which include the replacement of selected content with random characters, ‘X’s, black boxes, or blank space.
Redacted views can be applied to all users or to certain job roles or individuals.
Allum explained: “You can limit access to sensitive data to just those staff who actually need to view it as a legitimate part of their job, in line with the GDPR principle of data minimisation.
“Does a call center agent or accounts administrator really need to see information such as a person’s payment history or financial status when viewing bills or contracts, for example? If not, then it’s best practice to redact it.”
Data anonymisation can be provided by replacing text with random, but similar, characters to produce realistic documents for thorough testing, without exposing any real business data.
The usual contradiction between GDPR and blockchain
Privacy experts have argued that there is a contradiction between GDPR and blockchain as data which is stored on a blockchain is considered to be immutable, making it apparently impossible to delete, in turn making it seemingly impossible to comply with the ‘right to be forgotten’ requirement under GDPR.
The Macro 4 solution, however, is not affected by this limitation as it uses blockchain to store very specific information which would not create privacy implications.
Looking beyond the Macro 4 product, If a blockchain is used to store personal data, it is possible to overcome the ‘right to be forgotten’ issue via certain types of blockchain. One example of a GDPR compliant blockchain might be one that entails a limited network of computers, that can ‘vote’ to make changes to the ledger.
See also: Blockchain and privacy: Can a form of distributed ledger solve the problem of privacy? – We have a privacy problem. GDPR is an attempt to deal with this, but it is battling a seemingly inexorable force. To many, both users and data processors, the GDPR solution feels like wading through treacle. It is especially a problem for users, many of whom end up just clicking ‘yes’ or ‘accept’ rather than being forced to read privacy policies and decide which advertisers they are willing to give permission to.