What is GDPR and how can blockchain help with compliance?
New data protection regulation is necessitating a fundamental shift in business operations and relationships. With regulatory bodies empowered to issue vastly larger fines than previously possible, it is quickly becoming clear that those who most effectively adapt will be those best equipped to thrive in this new regulatory landscape. However, the necessary operational changes required for effective data protection present businesses with a significant challenge; traditional mechanisms of interaction and data transfer are fundamentally insecure and highly prone to human error and malicious actors.
In the traditional corporate environment, confidently consistent compliance is therefore extremely difficult to achieve. Loyakk believes blockchain to be the answer, and is thus creating the Loyakk Vega business collaboration platform with blockchain at its core, in order to facilitate ultra-secure, permissioned and verifiable data management, transfer and governance within business networks; exceptional standards of data protection are part of Loyakk Vega’s very design.
GDPR in a nutshell
As of May 25, 2018, businesses operating within Europe are now subjected to the world’s most stringent data protection policies, known as General Data Protection Regulation (GDPR). Designed to ultimately ‘protect and empower’ consumers, GDPR is essentially a new set of rules governing how businesses must handle their practices surrounding the collection and management of personal data. The regulation outlines seven key principles in relation to compliant data management:
- Lawfulness, fairness, and transparency
- Purpose Limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
The regulatory documentation places a strong emphasis on accountability; organizations are now responsible for acknowledging and understanding their accountability in the processing and management of the private personal information they own- and are expected to adapt business practices accordingly. In fact, GDPR introduces the concept of ‘Privacy by Design’, meaning that it is now imperative for organizations to explicitly consider privacy when undertaking processes that involve the processing of any personal data.
The correct data collection, management, and security procedures are now a strict requirement for all ‘possessors’ and ‘processors’ of personal data. Failing to clearly implement such changes will result in a severe penalty, as will any incident demonstrating non-compliance; if an organization suffers from an all too common data breach, for example, this is a clear indication of failure to maintain the integrity and confidentiality of the personal data in question.
Why was it introduced in Europe?
The purpose of GDPR is to update and standardize data protection laws across Europe, essentially designed to provide greater protection and rights of individuals over their own personal data. On a macro level, the new regulations are an essential element of the European Commission’s January 2012 plans for data privacy reform, aiming to make Europe ‘fit for the digital age’. After years of debate, the course of action had finally been decided upon, and Europe was set on the road to GDPR.
“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said vice-president for the Digital Single Market, Andrus Ansip, speaking when the reforms were agreed in December 2015.
A regulatory data protection update has been sorely lacking for quite some time; the GDPR replaces legislation drafted in 1995, since which time the shape and influence of the digital landscape has changed greatly. Technology is now intrinsically linked to our everyday lives, and vast amounts of data are created by our daily activities; data is the new oil, as they say, and corporations have been hard at work mining for valuable resources. GDPR is thus Europe’s attempt to regain some control on behalf of consumers in the traditional digital landscape of relentless corporate data harvesting and ruthless profiteering.
The European Commission clearly understands that compliance across the board of such drastic data protection reform is not going to come easily, which is why European regulators in charge of enforcing GDPR have been empowered with the ability to issue penalties vastly greater than under previous legislation.
How severe are the penalties?
“We’re all going to have to change how we think about data protection.”
This was the key message from Information Commissioner Elizabeth Denham during her latest speech. She’s somewhat of an authority on the subject, being the head of the Office responsible for enforcing GDPR compliance in the UK.
“Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use”, continued Denham.
Businesses had better take note of the new regulation and adapt their operations accordingly otherwise risk the wrath of European regulators, newly empowered with the ability to issue much greater penalties than was previously allowed for.
If any ‘possessor’ or ‘processor’ of personal data fails to comply with GDPR, they risk the full force of regulatory scrutiny and potential fines of up to €20m or 4% of an organization’s annual turnover (whichever is greater). The severity of the fine reflects the severity of each individual violation, but even for ‘minor’ data protection mishaps, fines can reach €10m or 2% of turnover.
Google’s recent data protection troubles illustrate clearly the severity of the penalties under GDPR; having been issued a whopping fine of €50m by French regulator CNIL, Google is now under investigation by the Information Commissioner’s Office after a number of complaints have been raised regarding the corporation’s policy of attaining the ‘forced consent’ to data collection of their users to be able to gain access to their suite of apps. Though yet to be settled, this case may set an extremely important precedent in the wider battle of traditional corporate operational business models versus the movement towards greater consumer data autonomy.
The punishment for data mismanagement is severe, and the ice is thin; all it takes to bring down the wrath of the regulators on a global organization is just one employee in one company office processing one set of personal records in a non-compliant way.
GDPR is undoubtedly a step in the right direction towards protecting individual liberty and combatting data misuse, however, the new regulation is necessitating a fundamental shift in business operations and relationships which traditional business procedures are inherently struggling to adequately facilitate.
How are companies tackling the regulation?
Operations involving the collection, management, and sharing of personal data have had to be overhauled in order to ensure compliance with GDPR, in the process exposing the fundamental weaknesses of traditional operational mechanisms in achieving effective data protection- which is still yet to be effectively addressed.
As part of the new regulation, all company departments are required to assess their data management and governance procedures and update them to be more effective where possible. It will be necessary to map all company-held personal data and to be able to clearly show where each individual data set has come from, who can access the data and where it resides. This will require the constant complex and comprehensive mapping of the company’s customer personal data, often across boundaries; traditional solutions such as manual databases are therefore inadequate due to the high possibility of human error and incomplete or outdated information.
Under GDPR, companies are also compelled to consistently re-examine the security measures put in place to effectively prevent and react to data breaches. If there is a breach, the organization is liable to be fined. However, this threat has not had the desired effect on ensuring data security thus far; in fact, the number of data protection complaints received by the ICO in the months following the implementation of GDPR reportedly more than doubled. This is because breaches often occur from the use of archaic communications and data transfer systems (such as email or cloud services), which are prone to hacks or human error. Currently, this type of unsecured infrastructure is heavily relied upon by businesses of all sizes, thus presenting the constant risk of data mismanagement.
It’s therefore clear that the problem of data security lies more crucially within the fundamental challenges of traditional of business operations, rather than the lack of a willingness to comply.
Blockchain to the rescue
Archaic systems, such as email, data storage systems and the multitude of cloud services, are plagued by security weaknesses and the high possibility of human error, making them incompatible with the confidently compliant transfer of sensitive data. A new era of enhanced data protection as outlined by GDPR, therefore, will require the next generation of business interaction mechanisms where tracking of data is always in the control of the organisation.
In the endeavour for consistently effective data protection, the inherent qualities of blockchain mean that the technology could play a defining role; not only is blockchain resistant to compromise by malicious actors due to its decentralized structure but it is, by its very nature, a transparent and comprehensive record of all movement within the network. Because data is not transferred between centralized servers during a blockchain-based transfer process, it is possible to track the data and where it is at any point in time. As a distributed ledger, the utilization of a blockchain framework facilitates the movement of data in an inherently verifiable way.
In terms of functionality, blockchain-enabled smart contracts now offer opportunities for infallibly secure data access not possible in the pre-blockchain era. Smart contracts can enable complex and concrete permissioning procedures, ensuring that all data movement is confidently tracked. Again, this tracking capability can be verified by checking the transparent ledger.
Blockchain holds the transformative power required to facilitate a new level of verifiably secure data protection; it just needs to be effectively harnessed.
About Loyakk Vega
Loyakk’s next-gen business relationship platform is being created with blockchain at its core in order to facilitate ultra-secure, permissioned and verifiable data management, transfer and governance. Sensitive documents and personal data (such as estimates and customer information- anything required under regulation) can, therefore, always be tracked even if leaves the company’s firewalls. This capability empowers organisations to respond to any GDPR related requests.
It is the data transfer process within or between companies which is often the biggest point of weakness in terms of exposing the organization to data breaches. Not with Loyakk; Loyakk Vega’s infusion of blockchain enables a previously unattainable level of functional security during data transfer, through the platform’s native LYKK utility token which acts as an ultra-secure smart-contract enabled ‘data container’ during the transfer process. The data never leaves Loyakk’s network, and the utilization of smart contracts enables complex permissioning procedures, meaning data is verifiably accessible only to those who it is intended for. Exceptional standards of data protection are thus an integral part of Loyakk Vega’s very design.
Loyakk’s mission is to not only make data management and wider crucial business operations more secure, efficient and functional but also to revolutionize the way in which businesses interact and collaborate with one another across networks. In a verifiably secure setting providing advanced operational functionality, meaningful collaborative relationships can be effectively fostered between organizations - without the factor of trust between parties or the threat of regulatory consequences hindering progress.
Welcome to the era of blockchain-powered data protection.
Article Written by Shane Latham