Salman Baset, profile picture
Uploaded bySalman Baset
223 views

GDPR and Blockchain

The document outlines the relationship between the General Data Protection Regulation (GDPR) and blockchain technology, emphasizing that compliance hinges on how technology is utilized rather than the technology itself. It discusses key aspects of GDPR, including rights of individuals and responsibilities of data controllers and processors, while also addressing the challenges blockchain poses to GDPR compliance due to its immutable and distributed nature. Recommendations include avoiding personal data storage on blockchains and considering permissioned private blockchains for GDPR adherence.

Embed presentation

Download to read offline
General Data Protection Regulation (GDPR) and Blockchain Salman Baset 1
Outline • GDPR and blockchain - summary • GDPR • What is GDPR? • Who are the actors? • What is personal data? • What are rights of a person? • What are the responsibilities of a controller? • Myths about GDPR • GDPR in action • Blockchain • What is blockchain? • Bitcoin – what is it and how people use it • Who is the data controller in bitcoin? • Types of blockchain • Properties of blockchain that are challenging for GDPR • Permissioned private blockchains and GDPR • GDPR and Blockchain • Possible approaches and their pitfalls 2
Disclaimer • General Data Protection Regulation (GDPR) is a law. • I am not a lawyer; I am a security professional who has applied GDPR in permissioned private blockchains. • I am involved in various open source blockchain initiatives such as Hyperledger. 3
GDPR and Blockchain* GDPR compliance is not about the technology, it is about how the technology is used Just like there is no GDPR-compliant Internet. Or there is no GDPR-compliant Artificial Intelligence. Similarly, there is no such thing as GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications. The general approach for a use or an application is to avoid storing personal data on blockchain. https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf?width=1024&height=800&iframe=true 4
What is GDPR? • A law that regulates the processing by an individual, a company, or an organization of personal data relating to individuals in the EU+. https://www.bbc.com/news/world-middle-east-24367705 EU has 28 member states • Switzerland is not a EU member • Norway is not a EU member • Brexit (United Kingdom) and GDPR? Affects every sector, from healthcare, to Internet services, to banking, and beyond. Individuals: applies to EU citizens as well as non-citizens in EU. GDPR came into effect on May 25, 2018. GDPR has 99 Articles and 173 recitals. + https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en 5
Who are the actors in GDPR? Data subject. Article 4(1). “‘person data’ means any information relating to an identified or identifiable natural person (‘data subject’)” Example: you S C P Data controller. Article 4(7). … “determines the purpose and means of the processing of personal data”… Example: University is a data controller. Data processor. Article 4(8). “ ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Example: University email service provided by a cloud service provider. DPO Data protection officer. Article 37-39. appointed by a controller and a processor to advise employees and monitor compliance Example: University privacy officer SA Supervisory authority. Article 4(21) and Article 51. An EU country-specific authority for monitoring compliance to GDPR DPB Data Protection Board. Article 68. Ensure consistent application of GDPR. monitor companycountryEU 6
What is personal data? • Some things are obvious • Name • Biometric data • Racial or ethnic origin • Religious or political beliefs • Health data • Sex life and sexual orientation • Some things are not so obvious • IP address • Cookie ID • Employment and education history 7
What are the rights of a data subject? Articles 12-23 Some examples in the blockchain context • Right to rectification – Article 16 • Right to be erasure – Article 17 • Right to restriction of processing – Article 18 • Right to data portability – Article 19 S 8
What are the responsibilities of data controller and processor? • Many • Security of processing – Article 32 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • pseudonymization and encryption of data • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;” • Notification of a personal data breach to the supervisory authority. Article 33. 9
Where does a data controller or a processor typically find personal data? • Customer relationship management (CRM) databases • Human resource management (HRM) databases • Web server logs • Data backups / data warehouse 10
Myths about GDPR • EU personal data must reside within a data center in EU. • False • GDPR applies when a EU person visits another country • False. Law of another country applies. • There are no exceptions in GDPR. • False. See above about law of another country. Other examples include law enforcement, public safety. • Office address is personal data? • False, but it depends. Your name with office address becomes personal data. 11
How is GDPR doing since its release? • More companies reporting breaches • Fine imposed on British Airways • https://www.bbc.com/news/business-48905907 • Who is next? J 12
Outline • GDPR and blockchain - summary • GDPR • What is GDPR? • Who are the actors? • What is personal data? • What are rights of a person? • What are the responsibilities of a controller? • Myths about GDPR • GDPR in action • Blockchain • What is blockchain? • Bitcoin – what is it and how people use it • Who is the data controller in bitcoin? • Types of blockchain • Properties of blockchain that are challenging for GDPR • Permissioned private blockchains and GDPR • GDPR and Blockchain • Possible approaches and their pitfalls 13
What is blockchain? • NIST.IR.8202 • (first two lines of intro) Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published. What is a block? – grouping of transactions What is a transaction? – a mechanism to update the ledger Does the definition clearly state the append-only aspect of ledger? 14
What is a “ledger”? • https://www.merriam-webster.com/dictionary/ledger • a book containing accounts to which debits and credits are posted from books of original entry • a horizontal board used for vertical support (as in scaffolding) • The ledger familiar to “most” of us…? • Personal journal 15
Ledger vs. personal journal Ledger Personal journal Written on Paper with typically pen Paper, with pen or pencil Can also be written with IT system (e.g., computer, SaaS) IT system (e.g., computer, SaaS) Record of who made changes Important Not so much Common primary application Recording monetary transactions Thoughts Information lay out Structure (tabular), credit/debit, with dates Usually with dates Information is appended? Typically, yes Typically, yes Shared with others Employees (probably). Other entities, no, unless IRS J Depends J 16
What is a digital ledger? • A ledger stored in a digital form • On a (personal) computer or a set of computers • Can contain data ranging from few bytes to peta bytes, and beyond • What is distributed paper ledger? • Create copies of paper and distribute it to relevant folks whenever there is a change? • What is a distributed digital ledger? (or simply distributed ledger) • Ledgers stored in digital form on a set of computers (e.g., cloud), where data repository is not confined to a single computer (NIST: without central repository). The structure of the information stored within the ledger depends on the application. 17
Tamper evident and tamper resistant • Immutable: Merriam-Webster • https://www.merriam-webster.com/dictionary/immutable • not capable of or susceptible to change • Why do we write personal checks with a pen and not with a pencil? • May be, no one writes personal checks these days J • tamper evident and tamper resistant – to an extent • Can a (distributed) digital ledger be changed? • Of course! • How to detect changes to a (distributed) digital ledger and prevent changes? • Detect changes: audit logs • Prevent unauthorized changes: authz, authn (requires identity) 18
[Lack of] Central authority or central repository - Examples • I run a database on my single machine. • Central repository? • Central authority? • A big search engine has a massive farm of distributed machines connected over network, that work together to respond to search queries. • Central repository? • Central authority? • A music file-sharing system (Napster) has a central list of which users have files, but files are downloaded peer-to-peer. • Central authority? • Central repository? • A file-sharing network has a distributed index of files and file chunks. • Central repository? • Central authority? 19 Who is data controller and data processor?
What is Bitcoin? – from the paper Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism. 20
What is Bitcoin? – from the paper Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism. https://bitcoin.org/bitcoin.pdf So, no non-electronic (aka paper) transactions? all over the world? distributed? anonymity is a goal ? anyone can join and leave consensus algorithm is fixed. interesting 21
What is Bitcoin? – A geographically distributed peer-to- peer network Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger 22
Bitcoin: Blocks and Transactions Block N T1 T2: A -> B T3 T4 Block N+1 B->C Block N+2 C->D H(N) H(N+1) T1 T2 T3 T4 H() H() H() H() H() H() H(N) Transaction (oversimplification): - comprises the public key of the sender - Signed structured data (with private key of transaction originator) that indicates some transfer of bitcoins - The structured contains information about transfer of Bitcoins e.g., - S_key, Coin=1, R_key, Coin=2 S_key, Coin=0, R_key, Coin=3 - Public key of receiver 23 Does Bitcoin store personal information? No. However, if public keys can be attributed to a person with high fidelity, there is presently no way to break that linkage. e.g., by purging those transactions from the bitcoin ledger.
How to people use Bitcoin? • Through an intermediary • Bitcoin exchange • Payment exchange • Directly – by running the software 24
Who is the data controller / processor for Bitcoin? • Through an intermediary • Bitcoin exchange • Payment exchange • Intermediary becomes the data controller • Directly – by running the software • Can a peer-to-peer network which is not under anyone’s control be a data controller? • Are core software developers of Bitcoin data controllers? 25
Distributed Ledger Technologies aka Blockchain categorization Drive value of cryptocurrency Cryptocurrency for a business use-case Blockchain for business Anonymous Permissioned CryptocurrencyNon-Cryptocurrency Standards bodies and consortiums 26
Types of blockchain • What is public blockchain • Ledger is public – accessible by anyone • What is permission-less public blockchain? • Ledger is public, and anyone can join the network. (Bitcoin) • What is permissioned public blockchain • Ledger is public, but approvals required before joining the network. (Sovrin foundation, potentially Hyperledger Fabric also) • What is permissioned private blockchain? • Ledger is private, and approvals required before joining the network (Hyperledger Fabric) • What is permission-less private blockchain? • Good question :). Ledgers are private, but how can anyone join a private blockchain? 27
Blockchain properties that are challenging for GDPR • Distributed – distributed without consent • Immutable – existing data cannot be changed • Permanent - existing data cannot be changed. Record is permanent 28
What is Hyperledger? • Hyperledger is an open source collaborative effort created to advance cross-industry blockchain technologies. It is a global collaboration, hosted by The Linux Foundation, including leaders in finance, banking, Internet of Things, supply chains, manufacturing and Technology. • Launched in February 2016 https://www.hyperledger.org/about Frameworks Tools Hyperledger Indy Hyperledger Fabric Hyperledger Iroha Hyperledger Sawtooth Hyperledger Burrow Hyperledger Composer Hyperledger Explorer Hyperledger Cello 29 Hyperledger Ursa
Overview of Hyperledger Fabric – Key Design Goals • The four P’s • Permissioned • Privacy • Pluggability • Performance 30
Permissioned: Existing members determine who can join the network, and update configuration Public blockchains • Download software and connect to network • Configuration updated through developer or community consensus Hyperledger Fabric • Policy-based mechanism to admit new members and to update configuration 6/8 votes (admit A: majority vote) A A B I want to invite A to network A B A B A B A B A B A B A B B I want to invite B to network A B 3/8 votes (reject B: majority vote) Permissioned != Private 31
Privacy: Smart contract execution, and transaction data storage limited to a set of nodes in the network based on policy Public blockchains • Every node runs smart contract • Every full node can potentially have a full copy of the ledger Hyperledger Fabric • A subset of nodes will run smart contracts • The ledger updates are limited to set of nodes (channel). • Nodes in a channel can directly share private data directly with subset of nodes (collections, v1.1 feature) SC SC SC SC SC SC SC SC SCSC SC Channel / Private data collection 32
Pluggability: consensus, identity provider, crypto, data format, smart contract language Public blockchains • Fixed or hard to change consensus algorithm (proof of work) • Fixed encryption (e.g., secp256k1) • Identity = public key - self • Domain specific language (DSL) for writing smart contracts Hyperledger Fabric • Pluggable consensus algorithm (PBFT, Kafka) • Pluggable crypto service provider • Pluggable identity provider, zero knowledge proofs • General data format, key / value pair • General purpose languages for writing smart contracts (Javascript, Go) 33
Hyperledger Fabric and GDPR • Transaction (oversimplification): • comprises X.509 certificate of originator containing its public key • As well as entities signing (voting) on this request • No structure of data being stored • Key / value • X.509 certificate may contain personal data - see screenshot • Values may contain personal data 34
Possible approaches for GDPR and Blockchain – and their pitfalls • Avoid storing personal data on blockchain • Anonymize data and store on blockchain • Not much business value • Encrypt data and store on blockchain • Encryption can be broken one day • Pseudonymize personal data • A random identifier stored in blockchain in lieu of personal data • An off-blockchain database stores the link between random identifier and personal data • Logical deletion achieved by deleting personal data from off-blockchain database • Permissioned private blockchains • Establishing a governance process of which information will be stored in blockchain is critical go ensuring adherence to GDPR 35
Conclusion • Start with big picture – establish governance process • Avoid storing personal data on blockchain • If blockchain is unavoidable, consider permissioned private blockchains • Be as clear and as transparent to your users 36

More Related Content

PPTX
GDPR and evolving international privacy regulations
byUlf Mattsson
 
PPTX
GDPR for developers
byBozhidar Bozhanov
 
PPTX
GDPR - 5 Months On!
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
PPTX
GDPR and personal data protection in EU research projects
byLorenzo Mannella
 
PDF
GDPR considerations for blockchain solution architects.
bySalman Baset
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
PPTX
India'a Proposed Privacy & Personal Data Protection Law
byPriyanka Aash
 
GDPR and evolving international privacy regulations
byUlf Mattsson
 
GDPR for developers
byBozhidar Bozhanov
 
GDPR - 5 Months On!
byBrightPay Payroll and Auto Enrolment Software
 
New opportunities and business risks with evolving privacy regulations
byUlf Mattsson
 
GDPR and personal data protection in EU research projects
byLorenzo Mannella
 
GDPR considerations for blockchain solution architects.
bySalman Baset
 
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
India'a Proposed Privacy & Personal Data Protection Law
byPriyanka Aash
 

What's hot

PDF
Checklist for SMEs for GDPR compliance
bySarah Fox
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PPTX
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
PPTX
Gdpr action plan
byUlf Mattsson
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
PPTX
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
PPTX
GDPR: Your Journey to Compliance
byCobweb
 
PDF
GDPR and Hadoop
byJanosch Woschitz
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
PPTX
GDPR From Implementation to Opportunity
byDean Sappey
 
PDF
GDPR - a view for the non experts
byClaudio Bolla, CISM
 
PPTX
What does GDPR mean for your charity?
byNCVO - National Council for Voluntary Organisations
 
PPTX
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
PPTX
GDPR Ramifications of Blockchain Technologies
byParsons Behle & Latimer
 
PDF
Alternatives for copyright protection online
byBozhidar Bozhanov
 
PDF
Getting Started with GDPR Compliance
byDATAVERSITY
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
DOCX
Do You Have a Roadmap for EU GDPR Compliance? Article
byUlf Mattsson
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
PPTX
Ensuring GDPR Compliance - A Zymplify Guide
byZymplify
 
Checklist for SMEs for GDPR compliance
bySarah Fox
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Evolving international privacy regulations and cross border data transfer - g...
byUlf Mattsson
 
Gdpr action plan
byUlf Mattsson
 
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
GDPR: Your Journey to Compliance
byCobweb
 
GDPR and Hadoop
byJanosch Woschitz
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
GDPR From Implementation to Opportunity
byDean Sappey
 
GDPR - a view for the non experts
byClaudio Bolla, CISM
 
What does GDPR mean for your charity?
byNCVO - National Council for Voluntary Organisations
 
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
GDPR Ramifications of Blockchain Technologies
byParsons Behle & Latimer
 
Alternatives for copyright protection online
byBozhidar Bozhanov
 
Getting Started with GDPR Compliance
byDATAVERSITY
 
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
Do You Have a Roadmap for EU GDPR Compliance? Article
byUlf Mattsson
 
Quick Introduction to the EU GDPR by Sami Zahran
byDr. Sami Zahran
 
Ensuring GDPR Compliance - A Zymplify Guide
byZymplify
 

Similar to GDPR and Blockchain

PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PPTX
Digital Credentials Enabling Mobility and Verification of Educational Achieve...
byBrandon Muramatsu
 
PPTX
Distributed data protection and liability on the blockchain
byAlexandra Giannopoulou
 
PPTX
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPTX
General Data Protection Regulation
byGrittyCC
 
PPTX
GDPR Practicalities - The Data Shed
byStewart Norriss
 
PDF
Preparing for EU GDPR
byIT Governance Ltd
 
PPTX
Five Considerations for Blockchain Applied to Data Privacy & GDPR
byDivyaConsagous
 
PPTX
GDPR: The Catalyst for Customer 360
byDataStax
 
PDF
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
PPTX
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
PDF
The Essential Guide to GDPR
byTim Hyman LLB
 
PDF
The Essential Guide to GDPR
byTim Hyman LLB
 
PPTX
Practical Guide to GDPR 2017
byDryden Geary
 
PPTX
Impact of GDPR on the pre dominant business model for digital economies
byEquiGov Institute
 
PDF
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 
PDF
GDPR and Analytics
bybrunomase
 
PDF
GDPR - Are you ready?
byVILT
 
PDF
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
PPTX
250220 blockchain gdpr_blockchain_hillemann_presentation
byDennisHillemann
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Digital Credentials Enabling Mobility and Verification of Educational Achieve...
byBrandon Muramatsu
 
Distributed data protection and liability on the blockchain
byAlexandra Giannopoulou
 
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
General Data Protection Regulation
byGrittyCC
 
GDPR Practicalities - The Data Shed
byStewart Norriss
 
Preparing for EU GDPR
byIT Governance Ltd
 
Five Considerations for Blockchain Applied to Data Privacy & GDPR
byDivyaConsagous
 
GDPR: The Catalyst for Customer 360
byDataStax
 
General Data Protection Regulation (GDPR) for Identity Architects
byWSO2
 
GDPR: Key Article Overview
byCraig Clark ITIL, CIS LI,EU GDPR P
 
The Essential Guide to GDPR
byTim Hyman LLB
 
The Essential Guide to GDPR
byTim Hyman LLB
 
Practical Guide to GDPR 2017
byDryden Geary
 
Impact of GDPR on the pre dominant business model for digital economies
byEquiGov Institute
 
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 
GDPR and Analytics
bybrunomase
 
GDPR - Are you ready?
byVILT
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
bydan hyde
 
250220 blockchain gdpr_blockchain_hillemann_presentation
byDennisHillemann
 

More from Salman Baset

PDF
Blockchain - Beyond the Hype
bySalman Baset
 
PDF
Artificial Intelligence (AI) Security, Attack Vectors, Defense Techniques, Et...
bySalman Baset
 
PDF
Container Security
bySalman Baset
 
PPTX
SPEC Cloud (TM) IaaS 2016 Benchmark
bySalman Baset
 
PPTX
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
PPTX
Cloud SLAs: Present and Future
bySalman Baset
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
PPTX
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
bySalman Baset
 
PDF
Open Source Cloud Technologies
bySalman Baset
 
Blockchain - Beyond the Hype
bySalman Baset
 
Artificial Intelligence (AI) Security, Attack Vectors, Defense Techniques, Et...
bySalman Baset
 
Container Security
bySalman Baset
 
SPEC Cloud (TM) IaaS 2016 Benchmark
bySalman Baset
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
bySalman Baset
 
Cloud SLAs: Present and Future
bySalman Baset
 
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
bySalman Baset
 
Open Source Cloud Technologies
bySalman Baset
 

Recently uploaded

PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Closing Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
OutSystsems User Group Brabant November 2025
bymail496323
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Closing Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Mastering Handlers, Conditions, and Loops in Ansible Playbooks - RHCE.pdf
byLinuxCert Guru
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 

GDPR and Blockchain

  • 1.
    General Data ProtectionRegulation (GDPR) and Blockchain Salman Baset 1
  • 2.
    Outline • GDPR andblockchain - summary • GDPR • What is GDPR? • Who are the actors? • What is personal data? • What are rights of a person? • What are the responsibilities of a controller? • Myths about GDPR • GDPR in action • Blockchain • What is blockchain? • Bitcoin – what is it and how people use it • Who is the data controller in bitcoin? • Types of blockchain • Properties of blockchain that are challenging for GDPR • Permissioned private blockchains and GDPR • GDPR and Blockchain • Possible approaches and their pitfalls 2
  • 3.
    Disclaimer • General DataProtection Regulation (GDPR) is a law. • I am not a lawyer; I am a security professional who has applied GDPR in permissioned private blockchains. • I am involved in various open source blockchain initiatives such as Hyperledger. 3
  • 4.
    GDPR and Blockchain* GDPRcompliance is not about the technology, it is about how the technology is used Just like there is no GDPR-compliant Internet. Or there is no GDPR-compliant Artificial Intelligence. Similarly, there is no such thing as GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications. The general approach for a use or an application is to avoid storing personal data on blockchain. https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf?width=1024&height=800&iframe=true 4
  • 5.
    What is GDPR? •A law that regulates the processing by an individual, a company, or an organization of personal data relating to individuals in the EU+. https://www.bbc.com/news/world-middle-east-24367705 EU has 28 member states • Switzerland is not a EU member • Norway is not a EU member • Brexit (United Kingdom) and GDPR? Affects every sector, from healthcare, to Internet services, to banking, and beyond. Individuals: applies to EU citizens as well as non-citizens in EU. GDPR came into effect on May 25, 2018. GDPR has 99 Articles and 173 recitals. + https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en 5
  • 6.
    Who are theactors in GDPR? Data subject. Article 4(1). “‘person data’ means any information relating to an identified or identifiable natural person (‘data subject’)” Example: you S C P Data controller. Article 4(7). … “determines the purpose and means of the processing of personal data”… Example: University is a data controller. Data processor. Article 4(8). “ ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Example: University email service provided by a cloud service provider. DPO Data protection officer. Article 37-39. appointed by a controller and a processor to advise employees and monitor compliance Example: University privacy officer SA Supervisory authority. Article 4(21) and Article 51. An EU country-specific authority for monitoring compliance to GDPR DPB Data Protection Board. Article 68. Ensure consistent application of GDPR. monitor companycountryEU 6
  • 7.
    What is personaldata? • Some things are obvious • Name • Biometric data • Racial or ethnic origin • Religious or political beliefs • Health data • Sex life and sexual orientation • Some things are not so obvious • IP address • Cookie ID • Employment and education history 7
  • 8.
    What are therights of a data subject? Articles 12-23 Some examples in the blockchain context • Right to rectification – Article 16 • Right to be erasure – Article 17 • Right to restriction of processing – Article 18 • Right to data portability – Article 19 S 8
  • 9.
    What are theresponsibilities of data controller and processor? • Many • Security of processing – Article 32 • “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • pseudonymization and encryption of data • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;” • Notification of a personal data breach to the supervisory authority. Article 33. 9
  • 10.
    Where does adata controller or a processor typically find personal data? • Customer relationship management (CRM) databases • Human resource management (HRM) databases • Web server logs • Data backups / data warehouse 10
  • 11.
    Myths about GDPR •EU personal data must reside within a data center in EU. • False • GDPR applies when a EU person visits another country • False. Law of another country applies. • There are no exceptions in GDPR. • False. See above about law of another country. Other examples include law enforcement, public safety. • Office address is personal data? • False, but it depends. Your name with office address becomes personal data. 11
  • 12.
    How is GDPRdoing since its release? • More companies reporting breaches • Fine imposed on British Airways • https://www.bbc.com/news/business-48905907 • Who is next? J 12
  • 13.
    Outline • GDPR andblockchain - summary • GDPR • What is GDPR? • Who are the actors? • What is personal data? • What are rights of a person? • What are the responsibilities of a controller? • Myths about GDPR • GDPR in action • Blockchain • What is blockchain? • Bitcoin – what is it and how people use it • Who is the data controller in bitcoin? • Types of blockchain • Properties of blockchain that are challenging for GDPR • Permissioned private blockchains and GDPR • GDPR and Blockchain • Possible approaches and their pitfalls 13
  • 14.
    What is blockchain? •NIST.IR.8202 • (first two lines of intro) Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published. What is a block? – grouping of transactions What is a transaction? – a mechanism to update the ledger Does the definition clearly state the append-only aspect of ledger? 14
  • 15.
    What is a“ledger”? • https://www.merriam-webster.com/dictionary/ledger • a book containing accounts to which debits and credits are posted from books of original entry • a horizontal board used for vertical support (as in scaffolding) • The ledger familiar to “most” of us…? • Personal journal 15
  • 16.
    Ledger vs. personaljournal Ledger Personal journal Written on Paper with typically pen Paper, with pen or pencil Can also be written with IT system (e.g., computer, SaaS) IT system (e.g., computer, SaaS) Record of who made changes Important Not so much Common primary application Recording monetary transactions Thoughts Information lay out Structure (tabular), credit/debit, with dates Usually with dates Information is appended? Typically, yes Typically, yes Shared with others Employees (probably). Other entities, no, unless IRS J Depends J 16
  • 17.
    What is adigital ledger? • A ledger stored in a digital form • On a (personal) computer or a set of computers • Can contain data ranging from few bytes to peta bytes, and beyond • What is distributed paper ledger? • Create copies of paper and distribute it to relevant folks whenever there is a change? • What is a distributed digital ledger? (or simply distributed ledger) • Ledgers stored in digital form on a set of computers (e.g., cloud), where data repository is not confined to a single computer (NIST: without central repository). The structure of the information stored within the ledger depends on the application. 17
  • 18.
    Tamper evident andtamper resistant • Immutable: Merriam-Webster • https://www.merriam-webster.com/dictionary/immutable • not capable of or susceptible to change • Why do we write personal checks with a pen and not with a pencil? • May be, no one writes personal checks these days J • tamper evident and tamper resistant – to an extent • Can a (distributed) digital ledger be changed? • Of course! • How to detect changes to a (distributed) digital ledger and prevent changes? • Detect changes: audit logs • Prevent unauthorized changes: authz, authn (requires identity) 18
  • 19.
    [Lack of] Centralauthority or central repository - Examples • I run a database on my single machine. • Central repository? • Central authority? • A big search engine has a massive farm of distributed machines connected over network, that work together to respond to search queries. • Central repository? • Central authority? • A music file-sharing system (Napster) has a central list of which users have files, but files are downloaded peer-to-peer. • Central authority? • Central repository? • A file-sharing network has a distributed index of files and file chunks. • Central repository? • Central authority? 19 Who is data controller and data processor?
  • 20.
    What is Bitcoin?– from the paper Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism. 20
  • 21.
    What is Bitcoin?– from the paper Conclusion We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism. https://bitcoin.org/bitcoin.pdf So, no non-electronic (aka paper) transactions? all over the world? distributed? anonymity is a goal ? anyone can join and leave consensus algorithm is fixed. interesting 21
  • 22.
    What is Bitcoin?– A geographically distributed peer-to- peer network Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger Bitcoin ledger 22
  • 23.
    Bitcoin: Blocks andTransactions Block N T1 T2: A -> B T3 T4 Block N+1 B->C Block N+2 C->D H(N) H(N+1) T1 T2 T3 T4 H() H() H() H() H() H() H(N) Transaction (oversimplification): - comprises the public key of the sender - Signed structured data (with private key of transaction originator) that indicates some transfer of bitcoins - The structured contains information about transfer of Bitcoins e.g., - S_key, Coin=1, R_key, Coin=2 S_key, Coin=0, R_key, Coin=3 - Public key of receiver 23 Does Bitcoin store personal information? No. However, if public keys can be attributed to a person with high fidelity, there is presently no way to break that linkage. e.g., by purging those transactions from the bitcoin ledger.
  • 24.
    How to peopleuse Bitcoin? • Through an intermediary • Bitcoin exchange • Payment exchange • Directly – by running the software 24
  • 25.
    Who is thedata controller / processor for Bitcoin? • Through an intermediary • Bitcoin exchange • Payment exchange • Intermediary becomes the data controller • Directly – by running the software • Can a peer-to-peer network which is not under anyone’s control be a data controller? • Are core software developers of Bitcoin data controllers? 25
  • 26.
    Distributed Ledger Technologiesaka Blockchain categorization Drive value of cryptocurrency Cryptocurrency for a business use-case Blockchain for business Anonymous Permissioned CryptocurrencyNon-Cryptocurrency Standards bodies and consortiums 26
  • 27.
    Types of blockchain •What is public blockchain • Ledger is public – accessible by anyone • What is permission-less public blockchain? • Ledger is public, and anyone can join the network. (Bitcoin) • What is permissioned public blockchain • Ledger is public, but approvals required before joining the network. (Sovrin foundation, potentially Hyperledger Fabric also) • What is permissioned private blockchain? • Ledger is private, and approvals required before joining the network (Hyperledger Fabric) • What is permission-less private blockchain? • Good question :). Ledgers are private, but how can anyone join a private blockchain? 27
  • 28.
    Blockchain properties thatare challenging for GDPR • Distributed – distributed without consent • Immutable – existing data cannot be changed • Permanent - existing data cannot be changed. Record is permanent 28
  • 29.
    What is Hyperledger? •Hyperledger is an open source collaborative effort created to advance cross-industry blockchain technologies. It is a global collaboration, hosted by The Linux Foundation, including leaders in finance, banking, Internet of Things, supply chains, manufacturing and Technology. • Launched in February 2016 https://www.hyperledger.org/about Frameworks Tools Hyperledger Indy Hyperledger Fabric Hyperledger Iroha Hyperledger Sawtooth Hyperledger Burrow Hyperledger Composer Hyperledger Explorer Hyperledger Cello 29 Hyperledger Ursa
  • 30.
    Overview of HyperledgerFabric – Key Design Goals • The four P’s • Permissioned • Privacy • Pluggability • Performance 30
  • 31.
    Permissioned: Existing membersdetermine who can join the network, and update configuration Public blockchains • Download software and connect to network • Configuration updated through developer or community consensus Hyperledger Fabric • Policy-based mechanism to admit new members and to update configuration 6/8 votes (admit A: majority vote) A A B I want to invite A to network A B A B A B A B A B A B A B B I want to invite B to network A B 3/8 votes (reject B: majority vote) Permissioned != Private 31
  • 32.
    Privacy: Smart contractexecution, and transaction data storage limited to a set of nodes in the network based on policy Public blockchains • Every node runs smart contract • Every full node can potentially have a full copy of the ledger Hyperledger Fabric • A subset of nodes will run smart contracts • The ledger updates are limited to set of nodes (channel). • Nodes in a channel can directly share private data directly with subset of nodes (collections, v1.1 feature) SC SC SC SC SC SC SC SC SCSC SC Channel / Private data collection 32
  • 33.
    Pluggability: consensus, identityprovider, crypto, data format, smart contract language Public blockchains • Fixed or hard to change consensus algorithm (proof of work) • Fixed encryption (e.g., secp256k1) • Identity = public key - self • Domain specific language (DSL) for writing smart contracts Hyperledger Fabric • Pluggable consensus algorithm (PBFT, Kafka) • Pluggable crypto service provider • Pluggable identity provider, zero knowledge proofs • General data format, key / value pair • General purpose languages for writing smart contracts (Javascript, Go) 33
  • 34.
    Hyperledger Fabric andGDPR • Transaction (oversimplification): • comprises X.509 certificate of originator containing its public key • As well as entities signing (voting) on this request • No structure of data being stored • Key / value • X.509 certificate may contain personal data - see screenshot • Values may contain personal data 34
  • 35.
    Possible approaches forGDPR and Blockchain – and their pitfalls • Avoid storing personal data on blockchain • Anonymize data and store on blockchain • Not much business value • Encrypt data and store on blockchain • Encryption can be broken one day • Pseudonymize personal data • A random identifier stored in blockchain in lieu of personal data • An off-blockchain database stores the link between random identifier and personal data • Logical deletion achieved by deleting personal data from off-blockchain database • Permissioned private blockchains • Establishing a governance process of which information will be stored in blockchain is critical go ensuring adherence to GDPR 35
  • 36.
    Conclusion • Start withbig picture – establish governance process • Avoid storing personal data on blockchain • If blockchain is unavoidable, consider permissioned private blockchains • Be as clear and as transparent to your users 36