GDPR Networks: Trust Markets and Contextual Data Routing

A Framework Methodology for a Protocol based Paradigm Shyft, Part 1

This is the age of data, and the impact of this paradigm change sends ripples across countless industries. After all, data is everywhere, it’s who we are, what we do, how we transact and where.

A Global Problem

The challenge lies in the balance between promoting innovation and protecting personal data, a challenge that was met by the European Parliament and the Council of the European Union with the General Data Protection Regulation; a binding body of laws meant to set the legal framework on data protection and privacy for all individual citizens of the European Union. While regulation, to an extent, is welcome as it provides clarity and certainty to a nascent and disruptive industry, such as blockchain, it is also a hindrance as it tends to view current issues under an inflexible mindset; it doesn’t anticipate or create avenues for new technological solutions.

To complicate matters further, digital regulations still come from local and regional jurisdictions that do not complement each other, or worse, clash, creating asymmetries and uneven playing fields. They begin to provide frictions towards the broader global community and digital systems that either don’t share the same requirements, or are unable to properly comply to them given existing internal process, internal systems, or other regional complexities. GDPR is a prime example of this, as you have the European Union implementing a set of data laws and requirements for how client data can and cannot be accessed; how that is to be managed, how it is to be kept or forgotten, and ultimately, how platforms and digital services provided by companies in every country must operate in order to not violate personal privacy.

This concept implies that as one physical nation determines how a policy should be enacted, enabled and enforced digitally, that it has jurisdiction over a non-jurisdiction based network (the internet) and can apply local rules to a free and open network infrastructure. The complexities that these implementations of rules on the internet create, have unknown consequences for the future, and more importantly, have immediate implications to interactions that occur in the digital and physical realms, and the interplay between these two “worlds”.

Applying analog rules to digital frameworks; archaic ideas, at the expense of progress and future innovation. It simply will not work.

We believe that blockchain is a massive technological advancement, and a new global framework for value and data transactions; to us, regulation, like GDPR, can represent either a roadblock, or an opportunity. At Shyft, we see it as the latter.

This brief is intended to be an initial high level scope and reference paper to define the applicability of a global GDPR network standard, and a multi-group set approach to enabling public data security, ownership, ownership rights management protection, identity & data sovereignty, physical and digital world anchoring, and aggregated creditability.

Complexities for a Globalized World

Properly managing these inter-governmental, inter-institutional and multi-stakeholder requirements is not an easy challenge. There are many different conditions by which one may approach these requirements, and several institutions today are taking differing approaches to solving these challenges — with most successes still yet to be seen.

With this in mind, we propose a GDPR and data signatory network solution that provides all participants, the ability to cross validate, cross-sign, and cross-trace the historical proof of multi-party validation.

Our goal is to create a public network infrastructure solution that reduces unnecessary complexities, costs and implementation hurdles, thus creating a truly global and empowering tool for individual users.

The Paradigm Shyft

Shyft enables trust anchoring as a global solution to binding entities into a digital formation that provides open actor participation, and a framework methodology to create complex validated communication formats and channels. The ability to create multi-entity relationships, external to their own internal requirements, as well as to build policies and directions for how these relational formations execute correspondence amongst participating validators, provide a massive opportunity in how we structure and build efficiency into the global economy.

The Principles of GDPR

Any project that aims at solving these issues, needs to understand the following constraints:

GDPR requires the following considerations on behalf of entities (processors and controllers):

1. Pseudonymisation of personal data
2. Notification of data collection and data use
3. Local encryption and decryption
4. Audit trails of processing activities

GDPR requires the following considerations on behalf of the data subject:

1. Consent
2. Data portability
3. Right of access
4. Right to be forgotten (right of erasure)
5. Transparency

A Network-First Approach

If we are to deploy this type of regulation on the internet, we would rather take a network-first approach.

By deploying a solution, we inherently need a publicly auditable and procedural contract that can capture multi-jurisdictional differences in privacy and data transmission requirements. These contracts should be easily accessible and useable across existing enterprise infrastructure and communication systems, and should ensure a public audit trail while maintaining stakeholder privacy for sensitive information.

To be effective, all stakeholders should have definitional differences within this system; users, anchoring institutions, public networks, governments, etc. and would have to be adaptable to a multitude of different organizational structures.

Along with this, as we have a difference inherently between regulated entities (financial institutions, government agencies, retailers, search engines, social networks, etc.), we need the ability to build in a sort of trust anchor data type and entity type control system that can sign based on the type of relationships, interactions, and data sharing requirement that is present.

Using the Shyft trust anchor architecture as an open interoperable standard, we can achieve the globally diverse requirements within GDPR, while reducing the inherent costs, complexities, and changes required to the existing infrastructures inherent today.

Shyft allows anyone using existing OAuth or other signing systems to add in regulatory policies, conditional policies, regulatory requirements, and privacy systems that result in additional steps or process to see these requirements fulfilled.

By using a public key-based system to enforce smart contracts, we can reduce centralization risks of holding data, while making it profitable for all actors involved in the process to engage in open-system creation and network participation.

When done through a multi-stake holder network approach, this system increases user-based privacy and security through a personal permissions architecture embedded into the public networks architecture.

Core Principles of Shyft Pertaining to GDPR

1. Consent Driven. Every data interaction and every step taken on the Shyft Network starts with the user — the owner of the data. GDPR requires consent from the user for data sharing, storage and revocation/erasure of data.
2. Trust-Anchor Based. By allowing mutually trusted entities to validate and serve as witnesses, validators, and repositories of data, we release less capable or proficient entities from the burden of data protection, thus lowering the surface area of attack of end-users.
3. Auditable. Any system that aims to provide a framework for regulated interactions needs to be auditable, and to be explorable by regulators without exposing users’ information.
4. Attestations, Not Data. Shyft works with validations and attestations on the existence and validity of the data, not on data itself. This creates a framework for pseudonymity and data protection that benefits both users and entities alike.

In part 2 of this series, we’ll do a technical deep-dive on how a GDPR Network would function; we’ll discuss how the Shyft Network obtains and manages user consent as the starting point of a validation/attestation-based framework, how Trust Anchors are on boarded and transact with users and each other.

Shyft Network