hi I'm Peter Burris and welcome to this week's action item once again we're broadcasting from our beautiful the cube Studios in Palo Alto California and the wiki bond team is a little bit smaller this week for variety of reasons I'm being joined remotely by Neil Raiden and Jim Kabila's how you doing guys we're doing great Peter I'd be good thank you alright and it's actually a good team what we're gonna talk about we're gonna be specifically talking about some interesting developments and 14 days or so gdpr is gonna kick in and people who are behind will find themselves potentially subject to significant fines we actually were talking to a chief privacy officer here in the US who told us that had the Equinix breach occurred in Europe after May 25 2008 eeen it would have cost or Equifax the Equifax breach it would have cost Equifax over 160 billion dollars so these are very very real types of money that we're talking about but as we started thinking about some of the implications of gdpr and when it's going to happen and the circumstances of its of its success or failure and what its gonna mean commercially to businesses we also started trying to fold in a second trend and that second trend is the role of bitcoins going to play Bitcoin has a number of different benefits we'll get into some of that in a bit but one of them is that the data is immutable and gdpr has certain expectations regarding a firm's flexibility and how it can manage and handle data and blockchain may not line up with some of those issues as well as a lot of the Braque blockchain advocates might think Jim what are some of the specifics well Peter yeah blockchain is the underlying distributed hyper ledger or trusted database underlying Bitcoin and many other things blockchain yeah you know the one of the core things about blockchain that makes it distinctive is that you can create records and append them to block change you can read from them but can't delete them or update them it's not a crud database it's essentially for you to be able to go in and you know and erase a personally identifiable information record on an EU subject is you EU citizen in a blockchain it's not possible if you stored it there in other words blockchain then at the very start because it's an immutable database would not allow you to comply with the GDP ours were quite that people have been given a right to be forgotten as what what it's called that is a huge issue that might put the big kibosh on implementation of blockchain not just for PII in the EU but really for multinational businesses anybody who does business in Europe and the core you know coordination is like you know we're disregard brexit for now like Germany and France and Italy you got to be conformant completely worldwide essentially with your in your your PII management capabilities in order to pass muster with the regulators in the EU and avoid these massive fines blockchain seems like it would be incompatible with that compliance so where does the blockchain industry go or does it go anywhere or will it shrink well the mania died because of the GDP our slap in the face probably not there is a second issue as well Jim Lise I think there is and that is blockchain is allows for anonymity which means that everybody effectively has a copy of the ledger anywhere in the world so if you've got personally identifiable information coming out of the EU and you're a member or you're a part of that blockchain Network living in California you get a copy of the ledger now you may not be able to read the details and maybe that protects folks who might implement applications in blockchain but it's a combination of both the fact that the ledger is fully distributed and that you can't go in and make adjustments so that people can be forgotten based on EU laws if I got that right that's right and then there's a gray area you can't encrypt any and every record in a blockchain and conceal it from the prying eyes of people in California or in Thailand or wherever in the EU but that doesn't delete it that's not the same as erasing or deleting so there's a gray issue and there's no clarity from the EU regulators on this what if you use secret keys to encrypt individual records PII on a blockchain and then lost the keys or deleted the keys is that effectively would that be the same as he racing the record even though those bits still be there to be unreadable none of this has really been addressed in practice and so it's all a gray area it's a huge risk factor for companies that are considering exploring uses of blockchain for managing identity and you know security and all that other good stuff related to the records of people living in EU member countries so it seems as though we have two things they're gonna have that are that are likely to happen first off it's very clear that a lot of the GDP are related regulations were written in advance of comprehending what blockchain might be and so it doesn't and GDP are typically doesn't dictate implementation styles so it may have to be amended to accommodate some of the blocks a blockchain implementation style but it also suggests that increasingly we're going to hear from a design standpoint the breaking up of data associated with a transaction so that some of the metadata associated with that transaction may end up in the blockchain but some of the actual PII related data that is more sensitive from a GDP or other standpoint might remain outside of the blockchain so the blockchain effectively becomes a distributed secure network for managing metadata in certain types of complex transactions this is is that is that in scope of what we're talking about Jim yeah I bet you've raised and alluded to a big issue for implementers there will be on chain implementations of particular data data applications and off chain implementations off chain off blockchain will probably be all the PII you know in databases relational and so forth that allow you to do deletes and updates and so forth in you know to comply with you know gdpr and so forth and similar mandates elsewhere gdpr is not the only privacy mandate on earth and then there's on chain applications that you'll word the data what data sets will you store in blockchain you mentioned metadata now metadata I'm not sure because metadata quite often is is updated for lots of reasons for lots of operational patience but really fundamentally if we look at what a blockchain is it's a audit log it's an archive potentially of a just industry fashioned historical data that never changes and you don't want it to change ideally I mean I get an audit log you know let's say in the Internet of Things autonomous vehicles crashed and so forth and the data on how they operate should be stored you know either in a black box on the devices on the cars themself and also possibly backed up to a distributed blockchain where there is a transact or there's a there they a trusted persistent resilient record of what went on that would be a perfect idea for using block chains for storing perhaps trusted timestamp maybe encrypted records on things like that because ultimately the regulators and the courts and the lawyers and everybody else will want to come back and subpoena and use those records to and analyze what went on I mean for example that's an idea where something like a block shape and simile might be employed that doesn't necessarily have to involve PII unless of course it's an individual persons car and so there's all those great areas for those kinds of applications so right now it's kind of looking fuzzy for blockchain in lots of applications where identity can be either you know where you can infer easily the infer the identity of individuals from data that may not on the face of it look like it's PII so Neal I want to come back to you because it's this notion of being able to infer one of the things that's been going on in the industry for the past well 60 years is the dream of being able to create a transaction and persist that data but then generate derivative you out of that data through things like analytics data sharing etc blockchain because it is but you know it basically locks that data away from prying eyes it kind of suggests that we want to be careful about utilizing blockchain for applications where the data could have significant or could generate significant derivative use what do you think well we've known for a long long time that if you have anonymized data in the data set that it can merge that data with data from another data set relatively easy to find out who the individuals are right you add you add DNA stuff to that eh our records surveys things from social media you know everything about people and that's dangerous because we used to think that while losing are losing our privacy means that are going to keep giving us recommendations to buy these hands and shoes it's much more sinister than that you can be discriminated against in employment in insurance in your credit rating and all sorts of things so it's it's I think a really burning issue but what does it have to do with blockchain and G GD R that's an important question I think that blockchain is a really emerge short technology right now and like all image search technologies it's either going to evolve very quickly or it's gonna wither and die I'm not going to speculate which one it's going to be but this issue of how you can use it and how you can monetize data and things that are immutable I think they're all unanswered questions for the wider role of applications but to me it seems like you can get away from the immutable part by taking previous information and simply locking it away with encryption or something else and adding new information the problem becomes I think what happens to that data once someone uses it for other purpose than putting it in a ledger and the other question I have about GD d are in blockchain is who's enforcing this one army of people are sifting through all the stated at the side use and violation does it take a breach before they have it or is there something else going on the act of participating in a blockchain equivalent to owning or or having some visibility or something into a system so I am gdpr again hasn't doesn't seem to have answers to that question Jim what were you gonna say yeah the EU and its member nations have not worked out have not worked out those issues in terms of how will you know they monitor enforcement and enforce GDP are in practical terms I mean clearly it's gonna require on the parts of Germany and France and the others and maybe you know out of Brussels there might be some major Directorate for GDP our monitoring and oversight in terms of you know both companies operating in those nations as well as overseas with European Berger's none of that's been worked out by those nations clearly that's like you know it's just like the implementation issues like blockchain are not blockchain it's we're moving it toward the end of the month with you know not only those issues networked out many companies many enterprises both in Europe and elsewhere are not GDP are ready there may be some of them I'm not gonna name names may make a good boast that they are but know nobody really knows what it needs to be ready at this point I just this came to me very clearly when I asked Bernard Marr well-known author and you know influencer and the big data space at UM in Berlin a few weeks ago at at the data works and I said Bernard you know you consult all over with big companies what percentage of your clients and without giving names do you think are really truly GDP are already perm age when he said very few because they're not sure what it means either everybody's groping their way towards some kind of a hopefully risk mitigations threatened risk mitigation strategy for you know addressing this issue well the technology certainly is moving faster than the law and I'd say an argue even faster than the ethics it's going to be very interesting to see how things play out so we're just for anybody that's interested we are actually in the midst right now of doing right now doing some a nice piece of research on blockchain patterns for applications and what we're talking about essentially here is the idea that blockchain will be applicable to certain classes of applications but a whole bunch of other applications it will not be applicable to so it's another example of a technology that initially people go oh wow that's the technology it's going to solve all problems all date is going to move into the cloud Jim you like to point out Hadoop all data and all applications are going to migrate to the doop and clearly it's not going to happen Neil the way I would answer the question is it blockchain reduces the opportunity for multiple parties to enter into opportunism so that you can use a blockchain as a basis for assuring certain classes of behaviors as a group as a community and and and B and had that be relatively audible and understandable so it can reduce the opportunity for opportunism so you know companies like IBM probably you're right that the idea of a supply chain oriented blockchain that's capable of of assuring that all parties when they are working together are not exploiting holes in the contracts that they're actually complying in getting equal value out of whatever that blockchain system is and they're not gaining it while they can go off and use their own data to do other things if they want that's kind of the in chain and out of chain notion so it's going to be very interesting to see what happens over the course of next few years but clearly even in the example that I described the whole question of gdb our compliance doesn't go away all right so let's get to some action items here Nia what's your action item I suppose but when it comes to gdpr and blockchain I just have a huge number of questions about how they're actually going to be able to enforce it and when it comes to a personal information you know back in the Middle Ages when we went to the market to buy a baby pig they put it in a bag and tied it because they wouldn't want the piglet to run away because it'd take too much trouble to find it but when you got at home sometimes they actually didn't give you a pig they gave you a cat and when you opened up bag the cat was out of the bag that's where the phrase comes from so I'm just waiting for the cat to come out of the bag I I think this sounds like a real fad that was built around Bitcoin and we're trying to find some way to use it in some other way but I'm I just don't know what it is I'm not convinced Jim oxidiser my yeah my advice for Dana managers is to start to segment your data sets into those that are forgettable under gdpr and those that are unforgettable but forgettable ones is anything that has publicly identifiable information or that can be easily aggregated into identifying specific attributes and specific people whether they're in Europe or elsewhere is a secondary issue The Unforgettable is a stuff that it has to remain inviolate and persistent and can that be deleted and so forth the stuff all the unforgettables are suited to writing to one or more locked chains but they are not kosher with gdpr and other privacy mandates and focusing on the unforgettable data whatever that might be then conceivably investigate using blockchain for distributed you know you know access and so forth but they're mine the blockchain just one database technology among many in a very hybrid data architecture you got the Whitman way to skin the cat in terms of HDFS versus blockchain versus you know you know no first no sequel variants don't imagine because blockchain is the flavor of mania of the day that you got to go there there's lots and lots of alternatives all right so here's our action item overall this week we discussed on action item the coming confrontation between gdpr which is has been in effect for a while but actually fines will start being levied after May 25th and blockchain GPR has relatively or prescribed relatively script strict rules regarding a firm's control over personally identifiable in from you have to have it stored within the bounds of the EU if it's derives from an EU source and also it has to be forgettable that source if they choose to be forgotten the firm that owns that data or administers and stewards that data has to be able to get rid of it this is in conflict with blockchain which says that the Ledger's associated with a blockchain will be first of all fully distributed and second of all immutable and that provides some very powerful application opportunities but it's not gdpr compliant on the face of it over the course of the next few years no doubt we will see the EU and other bodies try to bring blockchain and block thing related technologies into a regulatory regime that actually is administrable as as well as auditable and enforceable but it's not there yet does that mean that folks in the EU should not be thinking about blockchains we don't know it means it introduces a risk that has to be accommodated but we at least think that the that what has to happen is data managers on a global basis need to start adding to it this concept of forgettable data and unforgettable data to ensure the cake can remain in compliance the final thing will say is that ultimately blockchain is another one of those technologies that has great science-fiction qualities to it but when you actually start thinking about how you're going to deploy it there are very practical realities associated with what it means to build an application on top of a blockchain datastore ultimately our expectation is that blockchain will be an important technology but it's going to take a number of years for knowledge to diffuse about what blockchain actually is suitable for and what it's not suitable for and this question of gdpr and blockchain interactions is going to be a important catalyst to having some of those conversations once again Neil Jim thank you very much for participating in action today my pleasure I'm Peter burger I'm Peter bursts and you've been once again listening to a wiki bond action item until we talk again