Implementing GDPR: should you use Blockchain?

By Julie Choo

Published: February 13, 2018

Last Update: April 21, 2020

In my previous blog on Linkedin, I discussed how this ever popular buzzword of the moment, called Blockchain, was disrupting our lives as well as how it is being used for GOOD versus EVIL. In this blog, I will highlight some of my thoughts on implementing GDPR and how it might be relevant OR NOT to use Blockchain, to help you be compliant as the deadline for this regulation approaches in May 2018. There are many angles to take on this topic and I will be wearing three different hats:

(1) As a founder of a small business who needs to be GDRP compliant,

(2) As data strategy consultant, and an author of a book about the strategy journey of businesses, that talks about where it might be relevant to use blockchain as a technology as a game changer as well as to implement regulations within the operating model of a business,

(3) As a techie, who wants the technology to be used properly for its full potential, to help solve real problems, preferably without silly compromises or workarounds.

In fact, I’ll be speaking on the Panel on this very subject at the GDPR Event organised by THE GOVERNMENT BLOCKCHAIN ASSOCIATION (London Chapter) on 13 February.

Implementing GDPR with Blockchain?

Implementing GDPR: how hard or complicated is it?

Well that depends on how complicated or complex your processes are in your business or organization, and hence where you might have data that needs to be managed according to the GDPR regulation.

GDPR compliance is roughly 70% process and 30% data.

The mission of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.”

Now, if you’re a recipient of lots of junk mail from all those marketing email lists that you never signed up to (or that you can’t seem to unsubscribe from), then GDPR might just help to eliminate this problem. Should every business or organization who currently has your email, ask you to double opt-in again in order to be GDPR compliant. Every regulation is subject to interpretation, but that’s how I’ll be implementing GDPR in my small business. So is this your chance to say NO, or does not answering equal NO.

As a small business owner, managing a relatively small email list of leads and customers, whom I need to market to, my team and I at Stratability (my training business) are taking this opportunity to re-defining our entire end-to-end process for managing customers and their data. To comply with GDPR, we simply need to document the processes within our value chain and along the customer journey, and where do we need to adjust these processes or add new steps, to be managed by our people and systems, and of course implement and follow these new processes. We have a relatively simple architecture comprised of an Learning Managment System (LMS), a Customer Relationship Management (CRM) system that syncs with our email system, and accounting software – so safe to say, its not really that much trouble for us. As a small startup, we don’t exactly have any technical debt.

So, is it relevant or beneficial for us to consider Blockchain to help us with hosting and processing of our customer data? No, is the simple answer. In fact, as I’ll explain later, not only it is not relevant, but its will actually add unnecessary complexity and costs that we don’t need to incur.

Now for bigger businesses and organizations with more complex processes, and a lot more customer data to manage, the path to implementing GDRP isn’t really that different. You simply have a lot more processes to adjust and change, which could then impact a lot more people and systems. It really depends on how complicated your architecture across your operating model is. I’m speaking from the point of view of a consultant architect to many of these big businesses.

The problem is that many big businesses do in fact have pretty complicated architecture or operating models, and in many cases their processes are pretty old, and possibly outdated, while being managed by fairly old legacy systems that they are busy trying to replace, as well as people who are busy managing too many workarounds already, all of which has resulted in lots of poorly managed and possibly inaccurate data. So implementing GDPR is a lot of work for these businesses.

Imagine the frenzy that these big companies, such as the big banks are in right now, trying to get ready for the May deadline. I speak from experience having helped a bank redesign their processes for another regulation called RDR back in 2014.

So, might this added complexity, and burden lend itself to a technology like Blockchain to come in and save the day?

Conflict rules: Implementing GDPR with Blockchain doesn’t make sense

The problem is that GDPR states that data “should be erasable”.

AND Blockchain makes transactions and data “immutable”.

This is a direct conflict between two core principles or rules, meaning that implementing GDPR with Blockchain actually doesn’t make sense, since you can’t actually store the data on the Blockchain.

Technical expert, Andries Van Humbeeck, in his recent article on The Blockchain-GDPR Paradox has actually outlined a pretty big workaround that is needed in order to use Blockchain as part of the process of managing GDRP – blockchain is used as an ‘access control’ medium only. In this solution, Blockchain isn’t being used for its true potential as a technology, making the benefits of the blockchain kind of redundant. In fact, forcing the use of Blockchain to implement GDPR will introduce unnecessary complexity and costs, and hence it actually adds to technical debt.

Of course this is just one example solution, and maybe someone else have designed a better working solution that uses blockchain to implement GDPR. If so, please come forward and share with everyone – we want to know more. Perhaps we will see some solution proposals from my fellow panelists tonight.

As I have stated in my previous blog,

Blockchain is not MAGIC and it does not… cannot… will not… should not…

…solve all problems…

As with all technologies, they are tools that enable us to solve specific problems. You can’t use a wooden spoon to tighten a bolt – you need a spanner.

Let’s not forget that to be GDPR compliant, some businesses have a lot of processes that need changing, and a lot of data that needs to be managed in many places along their value chain or end-to-end process, in multiple systems, and by a lot of people. The work to analyse and discover these processes, how ever many there are, needs to be completed by talented process architects – people.

From my current analysis so far – Blockchain isn’t the right tool for implementing GDRP. But – I’m all ears if you have found a way forward – please share.

Julie Choo

About the author

Julie Choo is lead author of THE STRATEGY JOURNEY book and the founder of STRATABILITY ACADEMY. She speaks regularly at numerous tech, careers and entrepreneur events globally. Julie continues to consult at large Fortune 500 companies, Global Banks and tech start-ups. As a lover of all things strategic, she is a keen Formula One fan who named her dog, Kimi (after Raikkonnen), and follows football - favourite club changes based on where she calls home.

You might also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}