Investor sees blockchain as key to GDPR compliance

Register now

The rules that govern data are changing rapidly, creating confusion for the companies that use blockchain to support payments, as well as potential investment opportunities for third parties that can ensure compliance.

The General Data Protection Regulation, which goes into effect on May 25, and the Payment Services Directive, which went into effect in January, are expected to have global impact as financial institutions and other companies comply with how data is shared between banks and fintechs in the case of PSD2, and how data is stored and accessed—as the case with GDPR.

GDPR compliance is not expected to get off to a good start, which could provide an opportunity for technology companies that can handle the complicated requirements, particularly those that can manage the blockchain in line with the standard.

"There are obstacles and challenges for the blockchain from GDPR," said Bassim Al-Khafaji, a partner at Andra Capital, a San Francisco-based firm that is building a late-stage technology growth fund that uses blockchain to open access to a broader range of investors than a traditional VC fund.

The company isn't disclosing specifics, but is partly interested in fintech development that uses the blockchain and smart contracts to expedite payments and remove differences in payment processing and systems that have held back automation. "We see blockchain as part of a global payments system," Al-Khafaji said.

Andra did not reveal the size of its fund. Its partners include Duff & Phelps and Deloitte, and technology blogs report it's about halfway to a goal of $1 billion, with institutions, family offices and hedge funds among the investors. Andra is raising funds ahead of its Silicon Valley Coin token launch scheduled for the summer.

The process of data sharing, on or off the blockchain, is complicated by GDPR, according to Tim Sloane, vice president of payments innovation and director of the emerging technologies advisory service at Mercator. As an example, the address data sent to issuers by merchants using 3D Secure 2.0 will be restricted in some countries due to privacy laws and GDPR, Sloane said.

"There is significant research underway to determine how data can be shared without revealing restricted information, as is possible using Zero Knowledge Proofs," Sloane said, adding ZKP allows responses without providing confidential details. "For example, you can ask my bank if my salary is greater than $100,000. If I let the bank respond, they may answer yes or no. So my actual salary is not revealed."

There are some elements of blockchain technology that don't easily exist within GDPR requirements. For example, GDPR gives individuals the right to delete or change personal data, which is hard to accomplish in a decentralized model.

"The blockchain won't do that, and it's also hard to modify transactions on a permission-based manner," Al-Khafaji said.

Andra will be looking for companies that can help manage that part of blockchain data risk, or that can help other companies that want to use blockchain for payments, health care records or other transactions while complying with GDPR and PSD2. The technology is still emerging, but there are hybrid structures that can work alongside blockchains to allow the kind of data access and manageability that's required by the new European standards.

"Some of these challenges are being addressed in the emerging technology," said Al-Khafaji, adding that the permissioned ledgers can hide, delete and change data based on GDPR standards without sharing that data with other users on the broader blockchain. There is also code that can allow peer-to-peer communication within a subledger.

"This tech can also execute a payment as a 'referral' so the actual transaction and data are not on the [main] blockchain," Al-Khafaji said.

Andra Capital is also working on its own compliance for the Silicon Valley Token, which will provide access to investors to participate in investments. All investors will have to undergo a "know your customer" money laundering exam.

"We want to democratize VC by allowing global investors to participate in top-tier VC, which was previously only accessible to the 'big boys' club with deep pockets," said Haydar Haba, managing partner of Andra Capital.

For reprint and licensing requests for this article, click here.
GDPR Compliance Payment processing European Union