Why GDPR is failing & how blockchain can help

As a platform seeking to provide blockchain-based solutions to the world’s most pressing information security challenges, data privacy represents a prime use case for the IAP. Meanwhile, Blockliance, the first application to be built on the IAP seeks to provide more cost-effective ways for businesses to comply with regulations. Therefore, as a regulation that is aimed directly at data privacy, the roll out of GDPR — the EU’s General Data Protection Regulation — has been something we have been following very closely.

Very few people living in EU countries will have failed to notice the coming into effect of GDPR on 25th May. Individuals and businesses around the continent were inundated with emails begging them to sign up to revised privacy agreements.

Two months on from its implementation however, the general consensus has been that it has failed to make a meaningful impact on any of the privacy and data protection issues that it was, in principle, billed as solving.

In this article, we will go over what GDPR is, why it has been a disappointment and why we think blockchain could be an important part of succeeding where GDPR has failed.

What is GDPR?

GDPR is a new regulation that places a range of requirements on businesses operating in the EU, to ensure they take increased measures to safeguard the privacy of people whose data they hold.

The central requirements of the regulation is that businesses must gain consent before storing or sharing personal data on individuals and this consent must be freely given, made affirmatively in an informed way specific to the transaction in question and with a clear understanding of what third parties may receive the data. Organizations processing data must also have a Data Protection Officer in place and are required by law to report a general personal data breach to supervisory authorities within 72 hours. Individuals also have the right to understand what data an organization holds about them and for the organization to provide it to them within a set period to demonstrate who sees it, how it is used and what decisions may be taken with it. They also have a “right to be forgotten” and a “right to object” to their details being used, transferred or held.

What problems is GDPR supposed to be solving?

There is increased anxiety amongst individuals around the privacy of their personal data, which has only magnified recently in the wake of the Facebook data breach. People are waking up to the fact that as a result of ticking fairly harmless looking boxes with the likes of Facebook, Google and others, their data is ending up in the hands of dozens of companies who they don’t feel like they gave consent to.

The promise of GDPR therefore was to give control back to individuals over their personal data. The goal was to give this control back by forcing organisations to state more clearly how data is being used, requiring that consent is made actively and providing individuals with more rights to track the usage of their data and withdraw consent.

Why is it failing to solve these problems?

The reality however has been somewhat different. Privacy policies have simply become longer and more complex to meet GDPR requirements, making the average individual even less likely to read them. Meanwhile, whilst businesses may be fined for breaches, there is not a clearly defined path for individuals to be personally compensated for misuse of their data. There is also a major loophole that still allows many kinds of data processing, so long as it can be said to fall under a “legitimate business interest”. This term is poorly defined, making it even harder for an individual to challenge a businesses’ usage of their data.

However, the specific above issues above speak to a broader problem that sits at the crux of why regulation like GDPR cannot make meaningful impact on data privacy for individuals. The best that GDPR can do is provide rights to individuals on the privacy of their data. What it cannot do is provide a robust methodology for allowing the individuals themselves to enforce these rights in a way that is simple enough for the average person to understand and implement.

GDPR does not provide individuals with any tools to track how their data is being used, it does little to simplify the task of understanding when a right has been breached and provides no simple way for someone to seek compensation for a breach.

Meanwhile, from the perspective of businesses themselves, it adds a slew of cumbersome processes they must comply with, again without providing any kind of simple toolset to make the process of complying simple. This incurs all sorts of costs of compliance on businesses; costs that are ultimately passed on to the consumer.

How could blockchain technology help solve these problems?

What the above analysis demonstrates therefore is that data privacy rights are fairly meaningless without simple methodologies both for individuals to enforce their rights and cost-effective ways for businesses to comply.

Blockchain technology is well-placed to provide exactly this kind of methodology for both individuals and businesses. Because blockchains are immutable, trust-less and decentralised, they offer a way to securely store and share data in such a way that every stakeholder involved can easily track how data is being used without recourse to a third-party.

This means blockchain technology could offer a way for individuals to easily access information on how their data is being used without having to make requests to the business who is storing or sharing their data. This would empower them with the methodology to track and enforce their data privacy rights that is currently missing from GDPR.

From the perspective of businesses, these same features of immutability, trustlessness and decentralisation, would allow them to use blockchain technology to prove that they are complying with regulatory requirements in an automated way that is not reliant on manual verifications by trusted specialists and complex processes. This would reduce their costs, making them not just more likely to comply but also less likely to pass on costs to consumers.

These are exactly the kinds of solutions that the IAP seeks to provide and we believe it can play an important role in turning regulations like GDPR from well-meaning frameworks into actionable tools for individuals to enforce their privacy rights. Meanwhile, Blockliance the first app to be built on the IAP, will provide the kind of automated, trust-less and decentralised tools that businesses require to make complying with GDPR practical and cost-effective.