May 25, 2018, the deadline for compliance with GDPR, is getting close. Given the recent discourse in the media around control of personal data, we thought GDPR was the perfect topic to cover in a post about data security. GDPR is exactly the type of regulation that raises questions around digital trust, and what measures must be put in place to secure data and help consumers regain that trust. Since the erosion of digital trust is on everyone's minds, we wanted to contribute to the dialogue with a more in-depth explanation of how our Digital Trust Platform is uniquely applicable in this space.
As a company, we are focused on enabling two key capabilities:
Ability to store and organize strongly encrypted data without making it vulnerable in the data layer (Black Forest Database “BFDB”)
Ability to exchange value and information securely without having trusted intermediaries look at the data (Black Forest Distributed ledger “BFDL”)
As a result of Craxel’s breakthrough in high performance searchable encryption, our Digital Trust Platform can index and search strongly encrypted data without decryption, without the encryption keys present, and with remarkable performance and at massive scale. In addition, our distributed ledger architecture enables the secure exchange of value or information with a high level of assurance. A key feature of both of these essential capabilities is granular control over each record in BFDB or each transaction in BFDL. Access is controlled by security labels, mandatory access controls, and by application layer encryption. Keep in mind that BFDL hashes transactions, not blocks, enabling fine grain auditability of the contents of a ledger.
Craxel's Digital Trust Platform and GDPR
Craxel's technology holds some of the key requirements for GDPR compliance. In addition to creating efficient search tools for encrypted data, Craxel's platform enables pervasive data compartmentalization, exactly the granular data protection needed for GDPR.
To provide a bit of context: In April 2016, the European Union adopted the General Data Protection Regulation (“GDPR”) (Regulation EU 2016/679) with the intention of strengthening data protection for EU citizens on a global basis. GDPR sets new standards for the management, protection, processing and transfer of all data collected on EU citizens that can either directly or by inference be used in ways to identify its citizens. Significantly, the law applies to both a data controller AND a data processor, and can hold some very strict penalties (e.g., the greater of EUR 20 Million or 4% of global turnover).
The key requirements are quite interesting and raise significant concerns for enterprises and their compliance strategies:
• Rights: Data subjects are granted the right to demand access to their data, to have their data transferred to the processor of their choosing and to have their data permanently deleted, also known as the right to be forgotten. (Article 17)
• Records: Data controllers are required to maintain records of their processing activities associated with the data they control (Article 28)
• Notification: An affected data controller or processor must notify their supervisory authority of leak within 72 hours and notify all affected parties “without delay” (Articles 31, 32)
Long-term, blockchain and distributed ledger might be the solution for GDPR. However, current solutions pose some threshold questions. For example, the right to be forgotten is the right to have your data removed upon request; if you have an immutable (unchangeable) ledger, does that conflict with GDPR? Companies also have an obligation to protect personally identifiable information that is within their purview as a “Data Controller.” Will personally identifiable information ever be permissible on the blockchain due to risk that the network will have access to the details?
Given these constraints, we think GDPR is a great example of where Craxel's Digital Trust Platform can solve some key issues.
For example, as a result of our pervasive compartmentalization and granular data protection, data controllers and processors will be able to satisfy regulatory requirements with respect to the rights of individuals, including the right to be forgotten, without a negative impact to their existing business processes. In addition, they will be able to take advantage of the benefits of distributed ledger technology and still adhere to the GDPR. (Note: There is an argument to be made that specific user data “to be forgotten” can easily be queried in its encrypted state, and “forgotten” by simply destroying the decryption key. However, there is no definition in the GDPR of “erasure of data” so it’s unclear whether destroying the encryption keys which encrypts personal data would be acceptable as “erasure of data” under GDPR).
Records of processing activity are also easily accommodated under the BFDL architecture. BFDL supports millions to billions of independent trustless and immutable ledgers, providing the ability to store granular provenance and data interaction events on a massive scale. Under traditional blockchain systems, this simply isn't feasible because of the privacy, security, latency, throughput and scalability problems.
Finally, searchable encryption provides relief from the notification requirements as per Article 32 because decrypted data is never present. In the unlikely event that an attacker could access the strongly encrypted data stored in Black Forest Database or Black Forest Distributed Ledger, they would only see cipher text and would not have access to the encryption keys.
Whether enterprises are ready for it or not, there is an emerging paradigm shift around data control. GDPR is one of several emerging examples of how a Digital Trust Platform - efficiently securing and exchanging the world's data - can uniquely deliver a seamless revolution in data protection.
This summary of EU regulations is not intended to provide legal advice regarding such regulations or any other applicable laws regarding the matters addressed above. Please consult appropriate counsel for any such advice.