How to deploy blockchain tech for GDPR compliance

Enforcement of the EU’s General Data Protection Regulation (GDPR) is approaching quickly. On May 25, 2018, any company, foreign or domestic, that processes the personal data of EU inhabitants is expected to have solutions in place to meet the regulation’s requirements. The GDPR is designed to give prospects, customers, contractors, employees, etc., more power over their data and less power to the organizations that collect and use it for monetary gain.

However, decentralized solutions based on blockchain technology are innovating how data is collected, stored and distributed, and these solutions provide options not available through traditional data protection methods.

Blockchain technology enables the actualization of completely digital identities, allowing for the concept of Bring Your Own ID (BYOID) to gain traction and adoption. Staring down the new GDPR requirements and the social and business pressures to not become the next Equifax, companies are searching for innovative solutions to put themselves ahead of the curve when it comes to protecting the data of their clients, customers and users. The public is also putting much of this pressure on enterprises, searching for a way to gain more control over their own data. If a solution that allows them to control their own data is available, why should they entrust its protection to companies vulnerable to hacks?

A blockchain identity management (IM) system, uses public/private key encryption and data hashing to safely verify data via the blockchain. A person’s identity and data are stored on their device, and they are the only person that can determine which ID details are shared. The blockchain is used as a public, immutable ledger that allows third parties to validate that the original data or certification has not been changed or misrepresented. Because data on the blockchain is immutable, it cannot be modified or deleted.

Personally identifiable information (PII) is not stored in any usable way on the IM system’s servers or on the blockchain. It is collected by the IM system’s app, encrypted and stored locally on a user’s device. Then, a one-way hashed, digital signature of those fields is created with the user’s private key and is stored on the blockchain. PII, when processed in this way, cannot be reverse-engineered or extracted. The PII can then be validated and certified by a trusted entity, such as an identity verification provider, government agency or corporate office. The user can interact with other parties and verify their identity, or exchange personal data through a completely secure process.

By enabling BYOID, blockchain-based IM systems reduce the necessity of the collection of PII in massive databases that are trusted to be protected by the company’s cybersecurity efforts. With no PII data to store, hackers no longer have a target within the enterprise to compromise. The concept also hits on the main mission of GDPR – to give people back control over their own data and the ability to decide for themselves how it should be stored, distributed or otherwise used.

Blockchain-based identity management gives users control of their data and helps companies towards GDPR compliance by allowing them to authenticate their users without storing PII data. By doing so, companies reduce the number of requests to access, erase and correct user data, as none of it is stored within the company’s systems. It also allows the company to obtain definitive proof of consent for permission.

Under GDPR, organizations have to prove that consent was given, and any data held must have an audit trail. Blockchain-based solutions facilitate permission-based access to information by giving users control in the sharing of their data, leaving an audit trail of consent on the blockchain. The user can remove that consent at any time, satisfying the GDPR’s right to erasure. Using this technology, users’ mobile devices, which are locked under a private key, are the only systems that store the authentication PII data. The blockchain is used only to verify a user’s claim of their identity, and the blockchain is therefore populated with non-PII verification signatures.

In 2018, the enforcement of GDPR will bring with it a laser-focus on how we as a society handle our valuable personal information and who we trust to handle it on our behalf. Blockchain technology has granted us a solution that was not previously possible under old capabilities. Moving steadily away from old solutions and outdated ways to think about the protection of digital identity will be a rising trend, especially as BYOID continues to rise as a solution to data and identity management concerns.

For companies, placing an emphasis on data protection and showing they are making strides to protect users’ privacy will be a major differentiator. Companies that provide ways for customers to protect their data before the momentum of blockchain technology, or legal compliance requires it, have the opportunity to build trust, create more loyal customers and establish themselves as leaders within their industry.

About Armin Ebrahimi

Armin Ebrahimi is Founder and CEO of ShoCard, a digital identity verification system that protects consumer privacy through patented use of mobile devices and the blockchain. An industry veteran, he brings more than 30 years of experience in scalable platforms, online services, mobile-development and digital advertising to the ShoCard team.

About ShoCard

ShoCard is a mobile-identity platform built using blockchain technology that provides a simple and intuitive application for authentication while protecting users’ privacy. This allows for a variety of use cases, including repeat authentication, true-digital signature with non-perishable audit-trail, transaction authorization, frictionless login services without username/passwords, and user authentication in financial transactions, travel, health, government and industries where digital identity matters.