Can an immutable record and GDPR data subject rights co-exist? Why blockchain might not be able to deliver on data privacy requirements. Credit: Getty Images Sometimes in the tech industry you have to work with opposing needs or even contradictions. Often, we find ourselves in a situation of balancing human nature versus security or legal versus technology. An example of the former is in the area of password policies where you would naturally expect a strong password requires a complex policy. The reality is more complicated. People write complex passwords down, which makes them vulnerable.This contradiction in terms is where we find ourselves with the blockchain and data privacy. The blockchain creates an irreversible (sometimes public) record of something that seems, on the surface, at least, to contravene the expectations of privacy law.In the world of digital identity, the idea of self-sovereign identity (SSI) is being floated. SSI, in a nutshell, is a way to use blockchain technology to decentralize digital identity. At the same time, new and improved data privacy legislation is being enacted, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).These regulations have set a high bar for data privacy, and the heady heights of this bar are reached through user choice and control. The question that is being asked is, “Can you accommodate the nuances of data privacy and user control when you create an immutable ledger of identity and data using a blockchain?” Identity on a blockchainBefore answering the question above, we need to think about what “identity on a blockchain” actually means. Currently, the industry discussion around blockchains and identity is to promote the idea of SSI, but there are other ways of using blockchain to register a digital identity or attribute status (for example).SSI is based on the idea of using a decentralized network that manages a “root of trust” based on a consensus algorithm. Sovrin is making headway in the SSI field and has built up a “decentralized, global public utility, for self-sovereign identity” based on the backbone of a trust framework, overseen by a board of trustees. Other blockchain identity systems use the blockchain in a more layered approach to registering information about an identity. An “identity” that is registered to the blockchain is done so using a cryptographic mechanism that uses a hash, a.k.a. a one-way transformation. The ledger creates an immutable record. The public nature of many blockchains used in identity, along with this immutability and hashing, are creating much discussion around privacy. How can you achieve certain data subject rights expected in regulations like the GDPR?The GDPR data rights and blockchain registered identity dataThe GDPR sets out a framework for privacy based on the ethos of having to consent to the processing of your personal data. It also sets out guidelines on maintaining confidentiality and integrity of personal data–i.e., data that can be linked to an individual. The GDPR is an EU diktat, but other countries, including the U.S., are starting to formulate similar legislation. Within the GDPR framework sits eight data subject rights – the right to:Be informed about your data Access your data Rectify your data Erase your data (data deletion) Request the restriction of data processing Port data elsewhere Object to use of dataPrevent automated decision-making including profilingLet’s look at some of these data rights and requirements in terms of identity data registered to a blockchain.Personal data: The basics of privacyWhen SSI uses the blockchain, it stores a hash of a user’s attribute. In the case of certain SSI frameworks or layered blockchain systems, the manner in which personal data is registered is such that it is pseudonymized. Either zero-knowledge proofs or another mathematical treatment of these data can be performed, such that data presentation can be minimized.Sovrin, for example, uses a concept of decentralized identifiers (DIDs), which help prevent correlation between the user and the data. Other methods such as BitCardIDs use a mathematical proof to perform data obfuscation or minimization–e.g., present an age over rather than a date of birth. This establishes a degree of privacy by design and default into the backbone of any identity system based on the framework.ConsentThis is an ethos as much as a function in an identity system and needs to be designed in from the outset. Consent is something used to create a relationship. However, the immutable nature of the blockchain is a positive force in terms of consent receipts. It can be used to create a record of taken consents and revoked consents, over time. Making changes in an immutable record – rectificationThe right to rectification of data that is found to be incorrect, could be challenging if personal data is recorded on a blockchain. It is true that the blocks are immutable. However, they are time-stamped and new blocks can be added to update previous entries. The issue left is the access to the incorrect block. This is where the design needs to be carefully considered and private, permissioned blockchains, may be the best option.Making changes in an immutable record – erasureThe right to erasure (to allow data to be forgotten) is another sticking point on the chain. How can you possibly square the round peg of immutability with the square hole of erasure? This, on the face of it, is a tricky conundrum. You can’t, as such, erase the immutable record of a blockchain without breaking the chain altogether – each block is dependent on the previous. You can’t even use a permissioned private ledger and remove access, as this is not strictly erasing the data.The only way to possibly comply with this requirement is to decouple the data from the registration on the chain. An option is to register a status or a reference, such as “KYC checked,” or a minimized/pseudonymized data set, rather than full personally identifiable information (PII). This is not always feasible SSI platforms.The use of the blockchain for identity records has some advantages over traditional database storage. It offers a potential for anonymity and data minimization – especially when coupling identity with financial transactions. It also offers transparent but confidential transactions. Security may also be improved as single points of failure are reduced. Like many technology layers, the blockchain has both benefits and failings. In the end, as with other technologies like encryption, it is in the implementation and the associated platform controls that these issues can be resolved. You need to choose your options carefully, from fully public, SSI frameworks like Sovrin to private permissioned ledgers. The choice needs to be done with data privacy and regulations like the GDPR in mind. Related content feature 4 authentication use cases: Which protocol to use? Choosing the wrong authentication protocol could undermine security and limit future expansion. These are the recommended protocols for common use cases. By Susan Morrow Dec 05, 2019 6 mins Authentication Identity Management Solutions Security opinion Deepfakes and synthetic identity: More reasons to worry about identity theft How can we maintain control over digital identity In a world where it is being blurred and abused by fraudsters? By Susan Morrow Oct 02, 2019 6 mins Authentication Fraud Identity Management Solutions opinion Is the digital identity layer missing or just misplaced? The orchestration of existing services and data could provide a digital identity layer that gives the internet a common way to handle identity for all consumers. By Susan Morrow Jun 28, 2019 6 mins Authentication Identity Management Solutions Security opinion Can the re-use of identity data be a silver bullet for industry? The ability to re-use identity data for individuals across different systems would greatly simplify authentication. Here's what it would take to make it happen. By Susan Morrow May 24, 2019 6 mins Authentication Identity Management Solutions Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe