Achieving GDPR compliance and data privacy using blockchain technology

Ajay Mothukuri and Vijay Srinivas Agneeswaran explain how to use open source blockchain technologies such as Hyperledger to implement the European Union's General Data Protection Regulation (GDPR) regulation.

The General Data Protection Regulation (GDPR) is an EU regulation acting as a one-stop shop for all data privacy rules across the EU. GDPR governs all global entities dealing with EU citizens’ data in any form or shape. Ajay Mothukuri, Arunkumar Ramanatha, and Vijay Srinivas Agneeswaran explain how to use open source blockchain technologies such as Hyperledger to implement GDPR. GDPR aims to ensure the data privacy of EU citizens through a single set of rules for data protection, increased responsibility and accountability for those entities processing personal data, required notification of any data breaches in stipulated timelines, the pseudonymization of personal data in such a way that resulting data cannot be attributed to a specific data subject without use of additional nonpersonal information, more accessible personal data, the ability to transfer personal data from one service provider to another easily (data portability), a “right to be forgotten,” and data protection by design and by default. These rules apply to all foreign companies and entities that are active in EU market and offer their services to EU citizens, and there are heavy sanctions for any violations, that can total up to 4% of annual global turnover. Blockchain technologies can help companies fall in line with GDPR directives. Pseudonymization is built into the blockchain, as all the data in a blockchain is encrypted and undersigned with the user’s digital signatures. Permissioned ledgers operate on a per-channel basis, making it very easy for companies to hide data from participating peers with whom data shouldn’t be shared. The blockchain uses industry-standard key-value pair or JSON, which allows for interoperability of data between participating entities, as per approved data sharing protocols. Permissioned ledgers now have the capability to modify or delete data upon request. This is never the case with a permissionless blockchain, like bitcoin. Sapient has successfully built permissioned blockchain networks for its clients. Ajay and Vijay cover some of these implementations and explain how Sapient fine-tunes the modify and delete requests on a given transaction to comply with the GDPR regulations. Hyperledger’s chaincode is used as the base for these blockchain implementation. Docker containers along with Go are used to port the blockchain code. Python code is packed into Docker containers. Hyperledger Fabric SDK is used for creating channels for peer-to-peer communication and building subnets that host individual ledgers between channels. Also, Hyperledger’s open source logic for modify/delete is used to achieve the “right to be forgotten” directive. Even though US and other non-EU markets are evolving the data protection standards, this model enables all companies globally to set a baseline for data governance and privacy at an enterprise level, there by winning trust from their customers—which helps retain their loyalty. These data governance policies can be applied horizontally and vertically across business domains, giving scope for interoperability and modularity in data privacy operations.