How to Navigate Data Privacy Regulations When Deploying Enterprise Blockchain Solutions
Four best practices for prioritizing privacy regulations so that blockchain or any other digital transformation initiatives can succeed
Opinions expressed by Entrepreneur contributors are their own.
As businesses in nearly every sector focus on digital transformation, more aim to incorporate enterprise blockchain technology into their operations. According to a Deloitte study, more than half of global executives included blockchain among their top strategic priorities in 2020, indicating a growing interest in the technology's applications across industries and regions.
But to turn that interest into real innovation, there's a lot of work to do. In fact, businesses have to account for myriad data-privacy regulations when developing and deploying enterprise blockchain solutions.
With a plethora of international and United States-specific privacy laws, data privacy and security are becoming more structured. Notably, Europe's General Data Protection Regulation was implemented in 2016 and was the first comprehensive legislation aimed at protecting individual privacy and preventing companies from misusing customer data. In the U.S., the California Consumer Privacy Act soon followed, preceding a wave of similar (but different) regulatory mandates introduced across the country. About half of U.S. states are actively working toward privacy legislation of their own, with states such as Virginia, Colorado and Utah formally introducing regulations.
Although many of these statutes are anchored by the same core principles of protecting consumers' data, there's enough variance to give corporate compliance teams headaches -- and plenty of reason to break out the proverbial red tape at the first mention of enterprise blockchain.
Even so, the potential uses of blockchain technology are too appealing for companies to remain on the sidelines for long. Rather than preventing enterprise blockchain adoption, the hodgepodge of data legislation making its way through state courts today will likely influence key decisions around solution architectures as application development picks up.
These new regulations impact many advanced technologies. However, there are inherent differences in the way data is secured and distributed across a blockchain network -- when compared to cloud networks or local area networks, for example -- that are both good and bad for businesses.
As a shared distributed ledger technology where transactions are appended as blocks across many connected computers, blockchain eliminates the need for centralized oversight and data storage. That means blockchain deployments provide a confidence framework where tighter integrations, process automation via smart contracts, and unprecedented privacy controls enable the creation of entirely new business models. On the other hand, the same mechanisms that make the technology so revolutionary also create an additional layer of complexity for architects, designers, and compliance teams.
Big decisions ahead
In regulated industries, the participants that comprise a blockchain network must be identified and known. The architecture of an enterprise blockchain application -- specifically the processes for onboarding those participants, managing keys, and other credentials that enable participation, and determining the distribution of nodes (computers that power the network) -- must account for the relevant regulatory requirements in each jurisdiction the network touches. That network could easily include jurisdictions scattered around the globe.
If, for instance, you're working on a blockchain that crosses national borders and encompasses machines in countries that have varying mandates governing the use of certain data, you'd probably face some uncertainty as to how to proceed. Should you sacrifice elements of security or efficacy to avoid countries that have ambiguous or unfavorable laws? Or should you hire a third party with both the legal expertise and technical acumen to make alternative recommendations? What if one country enacts legislation prohibiting the transfer of personally identifiable information across borders?
So far, these questions don't have hard-and-fast answers. Architects and designers have to work carefully to ensure data is stored appropriately and to define what data is essential to the network early in the development life cycle of any enterprise blockchain application. They'll also have to make sound decisions to ensure adherence to regulations, eliminate rework and streamline the delivery of value to network participants.
That's no easy ask. Because blockchains are distributed by design (and often cross borders), architects will be in a constant quest for balance. They'll need to make sure the network meets all applicable regulations. At the same time, they'll need to ensure that there's enough information in the blockchain to establish data authenticity, therefore maintaining trust within the ecosystem.
Searching for clarity
If companies want to succeed with blockchain or any other digital transformation initiatives, they must have a strategy that ensures data and privacy regulations are a priority consideration rather than an afterthought. Above all, that means sticking to the following best practices:
1. Use the most stringent requirements as a baseline
A solution that adheres to the most austere regulatory standards found in the myriad data and privacy statutes will be the best solution in the long run. Given the relative maturity and comprehensive nature of the General Data Protection Regulation, you might start your compliance journey there. Disney has strong privacy guidelines and communicates compliance to customers. In fact, GDPR is one of the main reasons Disney was initially slow to announce its rollout of Disney+ in the U.K. Disney had to fully understand the local privacy regulations to ensure its underlying systems adhered to these stringent standards.
2. Make data and privacy an organizational imperative
Data and privacy will continue to be defining political topics in the digital age, and related laws will only become more numerous. Companies should continually educate business and technology teams on the importance of data protection and see that architectural assessments explicitly include data privacy and protection as a gate for approval. For large organizations, it might even make sense to create or assign an executive role tasked with overseeing privacy and protection across the company, and with an understanding of how emerging legislation might shape future strategy.
3. Expect continuous maintenance
Continuous maintenance is the nature of all technology solutions and therefore needs to be planned in from the beginning. Regulatory requirements related to blockchain and other new technologies are constantly evolving, and that means your internal policies governing the use of this tech should be evolving. Moreover, whenever technology is playing a key role in data privacy and protection (which is almost always), make sure that tools and platforms are scalable and adaptable so that you don't have to invest in new ones every time regulatory language changes. Having a scalable platform and robust set of tools enables companies to more quickly adapt to regulations without having to put a product roadmap in jeopardy due to the regulatory environment.
4. Create a recovery plan
Even with the most carefully constructed plans, data leakage is inevitable at some point. That's why every company should have guardrails in place for when data escapes your network. Create a remediation plan that's not only well-defined, but also easy for key stakeholders to access just in case. TiVo relies on data to provide advanced recommendations and leverage search engines, requiring scalable infrastructure that dynamically adapts to the on-demand nature of streaming services and cable television. A key part of dynamic scaling includes having a recovery plan that is part of the scaling infrastructure that leverages both traditional backup and recovery techniques combined with heuristics that predict scaling needs. Together, they provide a dynamic, scalable, and dependable service that meets the high demands of their customers.
Privacy regulations won't necessarily slow the adoption of blockchain, but they will have an impact on key decisions around the architecture of a blockchain solution. With the digital landscape, data privacy regulations in one corner of the world will impact digital practices in another. Business leaders must develop solutions that ensure data and privacy regulations are part of business decisions as a priority -- not an afterthought.