Blockchain in the compliance arsenal
Blockchain technology may support some data management efforts, but it's not a silver bullet for compliance.
Amid growing global interest in the potential for blockchain technologies to support data management, enterprises may be questioning its role in compliance, particularly as the deadline looms for compliance with the European Union General Data Protection Regulation (GDPR).
For South African enterprises, compliance with the Protection of Personal Information (POPI) Act and alignment with the GDPR are a growing concern. Because GDPR and POPI are designed to foster best practice in data governance, it is in the best interests of any company to follow their guidelines for data quality, access control, life cycle management and process management - no matter where in the world they are based.
At the same time, blockchain is attracting worldwide interest from a storage efficiency and optimisation point of view, and many companies are starting to wonder whether it can effectively support data management, security and compliance. One school of thought holds that moving beyond crypto-currency, blockchain's decentralised data management systems and ledgers present new opportunities for more secure, more efficient data storage and processing.
However, there are still questions around how blockchain will align with best practice in data management and whether it will effectively enhance data security.
Once data is stored in blockchains, it cannot be changed or deleted.
Currently, blockchain technology for storing data may be beneficial for historic accounting and tracking/lineage purposes (as it is immutable), but there are numerous factors that limit blockchain's ability to support GDPR/POPI and other compliance requirements.
Immutability pros and cons
Because public blockchains are immutable, once data is stored in blockchains, it cannot be changed or deleted. This supports auditing by keeping a clear record of the original, and every instance of change made to the data. While blockchain stores the lineage of data in an economical way, it will not address data quality and integration issues, however.
It should also be noted that this same immutability could raise compliance issues around the GDPR's right to be forgotten guidelines. These dictate the circumstances under which records should be deleted or purged.
In a public blockchain environment, this is not feasible. Indeed, in many cases, it would not be realistic or constructive to destroy all records, and this is an area where local enterprises would need to carefully consider how closely they want to align with GDPR, and whether encryption to put data beyond use would suffice to meet GDPR's right to be forgotten guidelines.
Publicly stored data concerns
In addition to the right to be forgotten issue, there is the challenge that data protection, privacy and accessibility are always at risk if data is stored in a public domain, such as the cloud or a blockchain environment. Therefore, enterprises considering the storage optimisation benefits of blockchain would also have to consider whether the core and confidential data is locally stored on private chains, and more importantly, whether those chains are subjected to security and access rules and whether the chain registries in the blockchain distributed environment are protected and subject to availability rules.
Blockchain environments also potentially present certain processing limitations: enterprises will have to consider whether blockchain will allow for parts of the chain stored for a particular business entity, such as a customer (or its versions), to be accessed and processed separately by different parties (data subjects) and/or processes.
Data quality question
The pros and cons of blockchain's ability to support storage, management and security of data in the environment is just one side of the compliance coin: data quality is also a requirement of best practice data management. This is not a function of blockchain and therefore cannot be guaranteed by blockchain. Indeed, blockchain will store even unqualified data prior to its being cleansed and validated.
Enterprises will need to be aware of this, and consider how and where such data will be maintained. The issues of data integration and impact analysis also lie outside the blockchain domain.
IDC notes: "While the functions of the blockchain may be able to act independently of legacy systems, at some point blockchains will need to be integrated with systems of record," and says there are therefore opportunities for "blockchain research and development projects, [to] help set standards, and develop solutions for management, integration, interoperability, and analysis of data in blockchain networks and applications".
While blockchain is set to continue making waves as 'the next big tech thing', it remains to be seen whether this developing technology will have a significant role to play in compliance and overall data management in future.
Mervyn Mooi is a director of Knowledge Integration Dynamics (KID) and represents the ICT services arm of the Thesele Group. His competencies and focus is within data/information management and governance.
Mooi has been in the ICT and data solutions industry for 38 years, beginning his career as an operator at the CICS bureau in Johannesburg in the early 1980s. Thereafter, he was appointed as a programmer at state-owned oil exploration and production company SOEKOR.
In 1986, Mooi joined Anglo American's head office ICT department where he remained for almost 12 years. Here he progressed to become a senior programmer, analyst, database administrator and technical support specialist. After completing his degree in informatics, he then left to join Software Futures, where he worked as a senior consultant for 18 months in the data warehousing and business intelligence arena.
Mooi joined KID in 1999 as a data warehouse and business intelligence specialist. His experience in ICT disciplines includes operations, business and systems analysis, application development, database administration, data governance/management, data architecture/modelling, software support, data warehousing and business intelligence.