How GDPR plus blockchain leads to the future of self-sovereign identity December 9, 2016 by Marla Hay In April, the European Union (EU) parliament took major strides in protecting personal data by approving the General Data Protection Regulation (GDPR). The GDPR replaces the 20-year old Data Protection Directive 95/46/EC and mandates how the personal data of EU citizens can be managed and processed. This regulation is designed to not only improve the security and privacy of personal data in the EU but to return the control and management of personal data and identities to the individual. While the GDPR affects both physical and digital identity management, it includes a number of provisions on personal data management that affect digital identity governance and emphasize individual control over one’s own data. Right to Access Article 15 of the regulation stipulates that an individual has the right to understand who has access to their personal data, what data has been made available and how that data is being used or processed. In addition, the individual must be able to obtain, on demand and with no charge, a copy of the digital information undergoing processing. Right to Consent While not new to GDPR, the regulation continues to stipulate, specifically in Article 7, that an individual must consent to data being used and, moreover, has the right to rescind that consent at any time. Right to be Forgotten Stipulated in Article 17, the right to be forgotten means that an individual has the right to demand that data controller erases any or all data held about an individual by that controller. Right to Portability The right to portability outlines that an individual has the right to receive the personal data provided to a controller in a digital format and may transmit that data as desired. Effectively, an individual should be able to obtain, move and provide access to their digital data as they see fit. Right to Data Minimization In article 25, the processor is mandated to use “… only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” Meaning, that only the minimum amount of personal data needed should be granted. Each of these items is achievable today through an enterprise-class Consumer Identity and Access Management (CIAM) solution (ahem), but what’s interesting is how the regulation as a whole hints at a shift in the way that individual identity could be managed in the future. Today, an individual’s identity is managed through distinct controllers and processors. The language in the regulation talks about how each of those disparate, siloed systems must provide access, consent management, erasure and portability to the user. The user must be able to take their identity from one place to another, grant access as they see fit, rescind it at will, and be ensured that only the minimum amount of information needed is used. Each organization managing data for the individual bears the responsibility for upholding those rights. But, what if the onus of personal data stewardship wasn’t on the controller and processor at all, but instead, given to the individual? If that were the case, the individual wouldn’t need to rely on a controller, issuer or processor to adhere to regulation to obtain, copy, move, transmit or secure their data. The individual would own it and they would control access. This is where blockchain gets really interesting. In order for an individual to manage their own data they alone need to have complete access, the data must be trusted by third parties as valid (so that it can be used as easily as any physical identifier), and they need a way to grant and rescind scoped access. With blockchain, we have a distributed ledger technology, meant to provide information that no distinct entity controls or manages. Because blockchain utilizes a decentralized network of peers, where the history and current validity is publically auditable, it becomes a neutral, trusted and secure mechanism for self-managed user identity. By placing both a data storage layer and a key/secret or some other access grant mechanism on top of it, an individual can not only securely store their data, but can now grant and rescind access to processors as needed. Likewise, issuers like trusted governments or licensing agencies, can add identity information to an individual’s blockchain record as permitted or requested by the individual. The idea that blockchain could be used to manage identity isn’t new. In 2015, Guy Zyskind, Oz Nathan and Sandy Pentland authored a paper describing in detail how blockchain could be used to secure personal data. Also in 2015, a paper from the “Rebooting the Web of Trust” workshop, “Decentralized Public Key Infrastructure,” outlines how blockchain can be used to manage key-value stores in order to facilitate secure, self-managed identities. Today, blockchain company ShoCard allows an individual to add their physically issued identities to a blockchain and grant access to third parties. What’s new is how the ratification of GDPR, espousing greater individual control over personal data, dovetails with the emergence of the application of blockchain for self-managed identity. One of the authors of the decentralized PKI paper, Christopher Allen, describes the concept of self-owned and managed identity as “self-sovereign” identity. The term “self-sovereign” has been in use recently but without an agreed upon definition. Christopher defines the term in a set of 10 principles (at the end of his article on the path to self-sovereignty) that align with and expand on the standards established by the GDPR. This alignment is a further testament that the GDPR may signal not just an emphasis on individual data control, but a change in the mechanisms by which identities are stored and managed. Together, the GDPR and blockchain advocates point to the same thing – the need to fundamentally change the way in which personal data is managed. Both from a principle and practical perspective, the status quo of disparate identity stores managed by social networks, banks, governments and individual websites needs to shift to grant the individual sovereignty over their data. From the perspective of principle, the individual has an innate right to the information that comprises who they are. From a practical perspective, a single, trusted, portable source of personal data, managed and leveraged by the individual, allows every data issuer and processor a consistent, efficient way to interact with an individual’s digital identity. As both the concept of self-sovereignty and regulation around user control grow, it’s clear that the age of the user is arriving, and the future of digital identity will hinge on technology that best facilitates the right of an individual to own and manage their identity. Learn more about how Janrain is GDPR compliant and helping companies manage customer identity safely and securely, or attend our “Kickstarting Your GDPR Readiness” webinar on February, 28.