The GDPR & Blockchain

A lot has already been said and written when it comes to blockchain technology and the GDPR (General Data Protection Regulation). This regulation protects personal data of EU residents, but several assumptions do not seem to fit with distributed databases. The first major point of contention is that there should be a legal person to bear responsibility for the processing and use of personal data outside of the direct data processors (a data controller). This entity should be addressable by data subjects to enforce the regulation when required. However, a blockchain generally consists of many different players (distributed) so that a single point of contact cannot be found (the point of the technology). Who, then, is responsible for processing data? And what participant is the controller vs the processor? The second difficulty is the fact that the GDPR gives data subjects control over their personal data, enabling them to ask for their personal data to be erased or changed (Articles 16 and 17). With blockchain technology, where the entire goal is the integrity — and immutability — of the data, such a unilateral change of data is simply impossible. Other points of contention are the rules regarding data minimisation, purpose limitation, and data transfers to countries outside of the EU, to name a few. All of these have led some to believe that there is no real future for blockchain and distributed ledger technologies in the EU. 

However, it was never the intention of the EU-legislators to stop the use of blockchain technology. In fact, the EU has expressed the desire to become a global leader in the application of blockchain technology. An entire strategy was developed with a clear framework and targeted investments so that new companies and applications might find a home within the Union. Research is also being stimulated to contribute directly to practical use. So, how do we resolve the clear conflict between actual regulation and intention of the EU? Well, several use cases arise where blockchain technology might actually help support the application of the GDPR. An example is the use of blockchain as a governance tool, where data subjects might determine themselves who gets access to their personal data. It can also contribute to the portability of personal data (Articles 15 and 20), ensuring that individuals can access data provided to controllers and easily transfer that data. 

Further, data protection compliance can be automated through the use of blockchain technology as a peer-to-peer security framework. This can be used to return control over data to individuals and remove the need for third-parties to hold or verify personal data. Each node in the network can audit and verify all transactions taking place without the need for any human intervention. The blockchain is used to record who accessed, including algorithms used to analyse data — or even requested access to — personal data, and that the data was successfully verified by the nodes. Therefore, every time analysis is performed, the logs generated ensure that people are directly aware of what is happening with their data. On top of that, blockchain technology can allow users to be directly rewarded for the use of their personal data. This radically reimagines the Internet, so instead of corporations profiting from all this data, individuals can decide how to use their data, and make a small profit if they choose. But, most importantly, this gives users direct control over their personal data. Want to allow certain organisations to process your data? You can easily give them permission. Do you want it to stop? Very similarly, retract the same permission. The data format also allows for easy data transfers which allows for transferability. However, while this new system could even further the rights afforded under the GDPR, the main concern of the right to be forgotten remains. Even though not all blockchain platforms are completely immutable, we should consider when we are completely in line with the regulation when we apply privacy by design controls. The problem is that privacy by design is not clearly defined by the regulation. There are only certain measures which are mentioned (i.e., pseudonymisation) in the GDPR text, but not concise overview of what techniques one should employ to ensure compliance. For the time being there is still some uncertainty on what aspects would help cover the GDPR-regulation completely. However, in the spirit of the regulation, and what it tries to achieve, it seems clear that blockchain technology could help develop systems which have the best interests of people at heart and gives them more complete control over their own data and what happens with it. However, one should remember that currently public & permissionless blockchain platforms are no great solutions for applications involving personal data when it needs to be stored on the network. Different solutions or measures are crucial if we want to ensure proper control over personal data and compliance with existing privacy regulation.

To date, there is still a lot of legal uncertainty when it comes to the application of the GDPR and the use of blockchain applications. There is a lot of room for interpretation which makes it difficult for organisations to decide in the EU whether it is a good idea to move forward with projects which might have a very positive impact on the lives of a lot of citizens. However, there are several ways one can look at the GDPR-regulation and blockchain. Even though public blockchain networks clearly do not seem to fit with the GDPR, there is a lot of room for hybrid or private distributed networks. Even though there might be some discussion on whether these networks can be classified as ‘real’ blockchain technology, it at least gives us some perspective on how we might make use of distributed ledgers to change the lives of EU-citizens for the better, while at the same time complying to the strict privacy regulations. 

Life Insurance

Blockchain has undeniable potential — and even impact — for financial services. Life insurance is no exception, as blockchain can be used to connect fragmented IT systems, implement smart contracts to reduce administration, improve data accuracy, and help fraud detection.  However, before you run for the hills because this is just another listing of frequently mentioned applications — or worse, poorly thought out applications, — an interesting use case was introduced a couple of years ago in Belgium. This case in particular is interesting as an example of how blockchain can impact the lives of many people, across different industries, and help strengthen the privacy regulations in place. And all of that can be achieved with an idea which at its core is quite simple. 

Let us take a step back and imagine the worst case scenario — actually needing to use life insurance, and doing so as the result of an emergency. In the event of a car accident, it’s already difficult and disorienting to navigate insurance:  Is it employer insurance; were you on your way to work? Are they going to contact the insurance company? Or is it up to you? Or do you have personal insurance? Great, but what company was it again? And how the hell do you get in contact, and did you provide the right information? What is covered by your insurance? Where did you leave the paperwork? But, when these accidents end with the insured passing, not only are loved ones grieving, but how will they even know if you had life insurance? Was it through your employer, or something personal? 

We can also turn around the story and look at it from the insurer point of view: they are dealing with many different types of questions coming in from customers. Have they contacted the correct insurance company? Do they provide all the correct information? Do you need to send back more paperwork? It creates delays, frustration, stress, and angry customers. On top of all that, it also poses a GDPR compliance nightmare. Sensitive personal data is being shared via mail and, due to the many different underlying back-office systems, such data can be misplaced and linked to the wrong customer. Insurance companies often also have incorrect or out-dated information for their customers; and even if they aren’t the actual insurance provider of the customer, they still received all the sensitive personal information of the person in question. 

Now, what if I tell you that there might be a solution for this problem? Imagine a blockchain network which could link all the insurance companies where one might have life insurance together and add in this same network all medical professionals and institutions which might help take care of you. The solution we propose consists of a permissioned blockchain as only certain parties can get access to the network. Depending on how the solution is built, the broader public can also control their own personal data. For example, each time personal data is shared, the involved person needs to sign the transaction, preventing abuse. Whenever a person comes in with a major medical issue or whenever a person is reported as deceased, a medical professional can release a message to the network. This transaction would only be readable by insurance companies where the person is an actual customer. Otherwise, the information remains locked and unreadable. The manner personal data is shared can also be adapted. It can either be encrypted on the decentralised network, or the network can be only used to share a hashing proof which can be used by all involved parties to make sure that the data received has not been adapted. This way of working would completely change the current system and improve the lives of everyone involved. The ‘proof’ would immediately be shared with the insurance companies so that they can start with administration and investigation from their side. In case extra information is needed, it is up to them to contact the customer, and not the other way around. It would speed up administration for insurers immensely, as they could make use of automation and direct logging while at the same time improving the overall customer experience. If the case is clear, the customer is contacted for a pay-out, and if there are questions, the customer does not have to look for the right insurance company. It could also work as a fraud reduction measure, as medical professionals directly sign off on the information they share. 

And the privacy aspect of it all? Well, it is quite simple. All health records are linked to your personal file so that messages are transmitted into a network where all health records of all citizens are linked. This attaches information to the individual, rather than having each company responsible for collecting and storing a file for each customer. Access to the health records can be controlled in different manners. Health professionals can determine together with the involved individual which data can be shared with the insurers. When no longer relevant (and if it is not in conflict with different regulations), the involved person can still retract his permission. No longer a customer of a certain insurer? No problem, the key is no longer available and even though the health data is still part of your personal file, the insurer cannot access it. As such your privacy is ensured. And, as you cannot simply ask your health records to be deleted or altered, this network ensures the integrity of your records. This could also help prevent different types of abuse, such as drug addicts trying to receive drugs from different healthcare professionals. And what happens when someone is deceased? Well, the GDPR doesn’t cover the personal data of the deceased, but this doesn’t mean that personal data should no longer be protected. In this case, personal data would be shared one final time with insurers, and, based on what happens next, and the final account is closed; the keys are destroyed and your data is no longer accessible. 

This way of working would also allow different types of companies to link and gain access to certain aspects of your personal data based on your own choices, giving you full control over who gets access to which data, which in the end is the entire goal of GDPR and privacy regulations as a whole.

The Future?

What does the future hold? Well, frankly I don’t know. This idea was launched a couple of years ago in Belgium, and, even though it was a great plan, it hasn’t seen any movement forward towards execution. However, it will be solutions like these which will offer insurance companies the tools to provide better customer service and the means to compete with new up and coming insurtech, which are focussed on the digital generation.

However, this requires cooperation between competitors, involvement of the healthcare industry, and probably the right support from the government to help create regulatory certainty. In the past, this proved to be an issue, and it is only a question if in the future competitors will be able to work together in favour of their customers. Although, it might seem a bit contradictory, to create a great, distributed solution, the centralised involvement of the government is required to help us all move forward in the right direction. The GDPR needs to be further clarified to help determine how one can make use of decentralized networks. The regulation was intended to help people get proper control over their own data so it seems a bit cynical that this same regulation seems to be working as a hurdle for solutions which could greatly improve the lives of people throughout the EU (and the world).

Conclusion

There are compelling use cases with distributed technology one can think of which would have a positive impact on the lives of everyone. The GDPR certainly isn't here to rain on the parade of innovation, and blockchain might even help to improve data privacy and protection of personal data. The EU and local governments must provide clear and better guidance when it comes to the application of distributed technology and how data protection regulation should be applied, though. This could help open up applications of new technologies (not only limited to blockchain & distributed ledgers) and greatly improve the way of working across industries and as such greatly impact the life of us all.