General Data Protection Regulation Complied Blockchain Architecture for Personally Identifiable Information Management

Abstract

Surveillance and secrecy breaching incidents of users' privacy questioned the current third-parties data collection procedure. Massive amounts of Personally Identifiable Information (PII) are being exploited due to malpractice, identity theft, spamming, phishing and cyber-espionage. A large amount of data flow from users to enterprises for data-driven market analysis and prediction. Consequently, it is tough to track the flow and genuineness of PII. Blockchain technology, an ‘immutable’ distributed ledger which can efficaciously track PII exchange, store, and distribution. In contrast, ongoing EU General Data Protection Regulation (GDPR) demands ‘right to forget’ and ‘should be erasable’ rights. However, this paper proposes an off-chain Blockchain architecture which uses both local database and distributed ledgers to preserve a trustable PII life cycle. Considering the key factors of GDPR, prevailing Blockchain architecture were modified and a prototype was created to validate our proposed architecture using multichain 2.0. Proposed architecture stores PII and Non-PII physically separated location. Finally, with proposed architecture user will realm privacy and rigidity of Blockchain along with the privacy regulation of GDPR. Validation is done by comparing proposed system with existing methodology from technical aspects, future research scopes is also well advocated.