HANOVER, Germany—If there was ever a clear example of how pervasive the challenges are for IT managers when dealing with the European Union’s General Data Protection Regulation, it was illustrated by engineers with Software AG, when they tried to deal with a capacity planning project for a commuter railroad.
The problem is one that’s shared far beyond Europe and far beyond commuter railroads. The problem is finding an automated way to determine how full a commuter train was to determine probable delays in loading and unloading the train as well how those delays would affect other trains on the same line.
In the process, the company found itself dealing with data from a series of sensors both on the rails and on board the train as well as data kept in the ticketing system. The process of counting how many people were on the train was straightforward. But when coupled with the ticket information, it suddenly presented privacy issues. This comes up frequently in commerce because the tickets are tied to credit card purchases and credit cards contain passengers’ identify information.
Originally, the company envisioned using a blockchain application as a handy way to store capacity information, but then along came the GDPR. If the ridership information contained any link to the information of the people who had bought tickets, then it fell under the purview of the GDPR. That meant that engineers had to find a way to clearly divide the types of information, but because the ticketing information was important in analyzing the ridership details, it’s not easy to find a solution that complies with regulation.
It runs afoul of GDPR because it’s possible to determine who boarded a particular train and when they boarded it. This may sound complex, but it’s enough to pose GDPR issues in the minds of regulators. The blockchain challenge arose because that personal information would have then become part of a blockchain’s distributed ledger, which meant that the information would likely be outside the control of the company, and worse, couldn’t be deleted, thus violating Europe’s rule about the right to be forgotten.
The project was never put into operation for a variety of reasons, so blockchain never became an operational issue. But it serves to illustrate how wide ranging GDPR can be The issues also affects IT systems in the U.S. and elsewhere outside Europe.
Let’s say, for example, that you run an ecommerce site. Anyone who wants to can visit your site and buy stuff. All it takes is a credit card and some basic information, such as the shipping address. However, that information triggers GDPR even if you’re not in Europe. But you’ve designed your systems so that the data of European residents is tightly protected, everything is encrypted and your systems are set up so that your customer can be deleted from your ordering system easily and quickly.
If that’s all you do with the data that you use when selling products, you might be fine. But if you decide to use some of the data, even if it’s anonymized, you could be in trouble. The reason? Just like it’s likely you could use information gathered for another purpose to find out who is on a train, you may also be able to determine the identity of customers that bought whatever it is that you’re selling. If you put that data into an application that uses blockchain, then you’ve effectively lost control of that data and you have violated the GDPR regulation. So is there a solution?
I asked Software AG’s senior solutions engineer Görkem Türkel, the company’s authority on blockchain who is attending the CEBIT trade show here, what the answer was. “This may be a use case where we can’t use blockchain,” he said.
The reasoning may sound obscure, but it’s very real. The company cited a study that showed that given enough data, it was possible to analyze anonymous data and still determine who the data came from with a high degree of confidence. All that putting it into blockchain accomplishes is to make it impossible to remove.
It turns out that this is an even bigger issue when internet of things data, as the company found out with the commuter train project. You can collect private information without intending to depending on how much data you collect and how you record it, you can remove its privacy protection.
So what do you do? There are a couple of approaches that might work. The most obvious is to not use blockchain for anything that might involve personally identifiable data, even tangentially. It’s one thing to use data from sensors, such as in a manufacturing operation, but you have to make certain that you don’t also collect personal information.
Another approach is to not collect information from anyone in Europe. That may mean setting your commerce system to reject European addresses.
Or you can decide to do the best you can to meet EU privacy regulations for data protection by disclosing how you use customer data, by getting permission to collect data for anticipated uses and being careful not to violate the GDPR. But you’d also have to avoid using blockchain for anything related to your customers. After all, those penalties apply regardless of where you are.