Privacy poisoning is inserted personal data that renders the blockchain potentially noncompliant with privacy laws
Negotiating privacy regulations is becoming increasingly difficult for security and risk management leaders, including chief information security officers and privacy professionals. For many organisations, privacy is a business-critical discipline, writes Bart Willemsen, Senior Director Analyst at Gartner
Recent developments in policy — most notably the EU’s General Data Protection Regulation (GDPR) — have driven a global movement of maturing privacy and data protection laws with stricter requirements. Many countries have begun implementing regulations inspired by GDPR principles, with the trend set to continue for the foreseeable future.
These evolving privacy requirements have a direct and dramatic impact on a business’s strategy, purpose and methods for processing personal data.
Breaches of the same requirements can prove fatal for a company in financial, reputational and disciplinary terms. Security and risk management leaders are advised to pay due diligence to Gartner’s privacy predictions for 2019 to ensure continued transparency and customer assurance.
By 2020, backed up and archived personal data will pose the greatest area of privacy risk for 70% of organizations. In 2018, this concerned only 10% of organizations. Today, businesses retain backups of large swathes of sensitive and vulnerable personal data, without any clear intention of using it. Since the sensitivity and vulnerability of data are inherent characteristics, level of risk is proportional to volume. Moreover, the introduction of privacy violation penalties and fines renders the risk of holding onto unused personal data potentially very costly.
Over the next two years, any organization that fails to revise its data retention policies to reduce overall data stored (and data backed up) risks sanctions for noncompliance, in addition to facing the impact of an eventual data breach.
Blockchain Facing “Privacy Poisoning”
By 2022, in particular, three-quarters of public blockchains will suffer “privacy poisoning.” This is inserted personal data that renders the blockchain potentially noncompliant with privacy laws. While blockchain is a promising technology in terms of applications, businesses looking to implement it must establish whether the data in use is subject to any privacy laws. For example, public blockchains require an immutable data structure. In other words, once data is recorded, it cannot easily be modified or erased. Privacy rights granted to individuals include the “right to be forgotten.” If customers opt for this option, personal data processed about them must be deleted.
This is concerning in itself, since entries in a public blockchain poisoned with personal data cannot be replaced, anonymized or structurally deleted. Thus, businesses cannot marry their need for record keeping with their compliance obligations. Organizations implementing blockchain systems without managing privacy issues will run the risk of holding onto personal data that cannot be deleted without compromising chain integrity.
By 2023, over 25% of GDPR-driven, proof-of-consent implementations will involve blockchain technology. This is an increase from less than 2% in 2018.
Regardless of the jurisdiction of operation and various privacy laws an organization may face, it is obvious organizations worldwide are at different stages in their journey to compliance. The pressure to implement a holistic privacy management program is increasing globally, and driving businesses to evaluate their data collection processes. However, the majority are struggling with integration costs and technology aiding accelerated compliance.
The application of blockchain to consent management is an emerging scenario at an early stage of experimentation. Various organizations have started exploring the use of blockchain for consent management, because the potential immutability and tracking of this new technology could provide the necessary tracking and auditing required to comply with data protection and privacy legislation.