Because of the rise in data breaches over the years, there has been increasing data compliance, privacy, and security regulations around the world. It can be difficult for many organizations, especially startups and small organizations, to keep up with all of the rules. But this piece will recommend best practices to help organizations stay compliant.
This collaborative article is written by Dock and Maecce. Maecce is a consulting company that advises organizations on how to implement compliance-driven operational solutions for the facilitation of transactional agility within procurement, legal operations, and sales departments. Dock has been providing Verifiable Credential and decentralized identity technology solutions since 2017 and these tools can effectively help with data compliance.
- Data compliance is the set of rules, laws, and guidelines that govern how businesses and organizations collect, use, and store data.
- In response to the rise of data breaches including identity theft and the misuse of people’s personal information around the world, governments and regulatory bodies have been implementing stricter regulations on how organizations handle personal data.
- Decentralized identifiers (DIDs), Verifiable Credentials, decentralized identity, selective disclosure, and Zero-Knowledge Password Protocol, and zero-knowledge proofs are all effective technology tools that can help organizations stay compliant.
- Because it can be challenging to keep up with all of the changing regulations, organizations, especially startups, can benefit from seeking guidance from expert consulting services to ensure they are operating in a way that is compliant.
The amount of data people share online is astounding. As data compliance regulations become stricter, organizations are under increasing pressure to ensure that all client data is secure and protected.
The rise in data breaches has largely been the result of poor security practices and inadequate protection methods. In response, governments and regulatory bodies around the world have begun cracking down on organizations that mishandle or misuse customer data by instituting increasingly strict regulations that favor companies with strong data compliance policies. As a result, many businesses are now investing heavily in tools and practices that can help them protect their clients' sensitive information effectively and efficiently.
Decentralized identifiers (DIDs), Verifiable Credentials, decentralized identity, selective disclosure, and Zero-Knowledge Password Protocol, and zero-knowledge proofs are all effective technology tools that can help organizations stay compliant.
What Is Data Compliance?
Data compliance means following the laws and regulations related to data privacy and security. This includes implementing controls and processes to protect sensitive data, making sure that personal information is handled properly, and regularly assessing and updating compliance efforts.
Why Is Data Compliance So Important?
- To prevent any potential claims or fines, it is necessary to keep up with legal requirements under privacy laws and regulations.
- Preventing data breach risks protects the operation and reputation of your company.
- Ensuring that data is properly safeguarded builds trust with customers and business partners.
Common Mistakes Organizations Make in Data Compliance
- Not keeping up to date with the continuously changing privacy laws and regulations.
- Assuming that certain requirements under certain privacy laws and regulations do not or will not apply to their operation.
- Truly understanding what type of data is being collected.
- Presuming compliance under a certain framework meets all other applicable compliance requirements currently and/or in the future.
- Believing that changing processes to lower compliance risk is a potential hindrance on business operation, when in certain cases it can actually facilitate it.
Examples of Data Compliance Regulations
- General Data Protection Regulation (GDPR/UK GDPR): A European Union law that protects individuals' personal data and sets guidelines for how companies can collect, use, and store this information. It applies to any organization operating within the EU or handling the data of EU citizens. GDPR can be considered as the world's strongest set of data protection rules.
- Health Insurance Portability and Accountability Act (HIPPA): A set of regulations in the United States that protect individuals' personal health information. These regulations require organizations handling medical data to have appropriate security measures in place and limit the use and disclosure of personal health information.
- California Consumer Privacy Act (CCPA): A set of regulations in California that grants individuals more control over their personal information and how it is used by organizations. This includes the right to access, delete, and opt out of the sale of their personal data.
- California Privacy Rights Act (CPRA): A law passed to help protect the privacy rights of individuals living and working in the state of California. Companies are not allowed to sell or profit from personal information without explicitly obtaining consent from consumers.
- American Data Privacy and Protection Act (ADPPA, potential future US federal privacy law): Proposed legislation that aims to strengthen personal data privacy rights and enforcement in the United States. It includes provisions for individuals to have access to, correct, and delete their personal information held by companies in addition to the ability to opt out of the sale of their data.
Data Regulations Are Becoming Stricter Making Data Compliance Increasingly Challenging For Organizations
These regulations require minimization of data processing, which basically means that organizations have an obligation to only use, collect, or access data that is necessary for the operation. This has led many companies to drastically limit the data they collect from their customers. Some take it to the extent of only accessing enough information to meet contract obligations or as necessary to validate subscription access such as login credentials.
For example, imagine that your company is considering adding a new feature to its website. In order for this feature to be successful, it would require customers to share their contact details with your company. You certainly could choose to collect as much information as possible from each customer during this process, storing all their personal details like email address, phone number, mailing address, billing address, etc. But this would just increase the risk of unauthorized access or exposure of those very same personal details.
Instead, by using data minimization principles to comply with data regulations, a business might choose only to get essential information on their site while discarding all other personal details. This is done by requesting only the data that is necessary. In doing so, not only does the organization reduce its risk for potential breaches or misuse of sensitive data down the line, but it also ensures that customers remain comfortable and confident sharing their personal details with them online.
However, one important thing to be aware of is under GDPR’s recommendation for broad interpretation, even now under ADPPA, biometric information and login credentials are considered covered data or personal data which can trigger compliance requirements.
What does that mean?
It means that minimization of data processing is becoming more difficult. And with the effect that all these laws and regulations are causing across organizations of various sectors and locations, in lieu of this global era, the extraterritorial reach is increasingly becoming difficult to avoid.
How Decentralized Identity Helps With Data Compliance
Decentralized identity is a type of identity management that allows people to control their own digital identity without depending on a specific service provider. No party can take away people’s Decentralized Identifiers (DIDs) once they create them. Data is stored as Verifiable Credentials on users' phones rather than centralized storage systems that can make organizations vulnerable to data breaches.
What Are Verifiable Credentials (VCs) and How Do They Help With Data Compliance?
Verifiable Credentials are a digital, cryptographically secured version of both paper and digital credentials that people can present to organizations that need them for verification. A few of many examples of documents that can be issued as Verifiable Credentials include a driver’s license, government-issued ID, professional certification, and university degree. Verifiable Credentials are powered by blockchain technology.
Benefits of Verifiable Credentials:
- Tamper-resistant: The use of cryptography enables people to store, protect, and share data securely. Any verifying organization can immediately know if data inside a VC was changed or corrupted.
- ID owner has full control and ownership of their data: This is enabled by the use of decentralized identifiers (DIDs) and public key cryptography.
- Provides user privacy: People can choose which parts of their identity they want to reveal such as proving their age without showing their full name (Selective Disclosure). Through Zero-Knowledge Proofs, they can even prove their age without showing their date of birth. No personal data is stored on the blockchain. The data is securely stored with users’ mobile devices.
Cryptography is a way to protect data and communications which is why it is used in blockchain technology solutions. Cryptography involves making the data extremely harder to understand for people who are not allowed to see it. This is important for safety and following laws and regulations about keeping important information secret.
What Are Decentralized Identifiers (DIDs)?
We are dominantly using centralized digital identifiers like emails and usernames to access apps and websites. But these identifiers have resulted in many issues including people not being able to fully own and control their personal data. For organizations, there is also an increased risk of data breaches when they hold user data on centralized storage systems.
In contrast, decentralized identifiers (DIDs) can solve many of these problems. A decentralized identifier (DID) is a globally unique digital identifier made up of a string of letters and numbers that act like an identifying address that can be stored on the blockchain. It can be created and managed without relying on any central authority like a government or company.
- Are generated by a user (individual or organization) and can’t be taken away by any entity
- They are used to securely receive and share Verifiable Credentials
- Data is stored only on the user’s device rather than a centralized storage system
- Allows the owner to prove cryptographic control over them and their associated Verifiable Credentials
- Do not contain personal data or wallet information
- Enable private and secure connections between two parties and can be verified anywhere at any time
Example of a Dock DID:
Can Decentralized Identifiers (DIDs) Help With Data Compliance?
Are DIDs considered personal information?
DIDs could be considered personal information under the interpretations of the mentioned regulations. DIDs that lead to the identification of a person or even a device is indeed personal information.
If DIDs could be considered personal information, how would it assist in my minimization efforts?
If we look at the proposed ADPPA definition of covered data, we may finally get a little more guidance on this. “Information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual and may include derived data and unique identifiers.” However, it also states exclusions which include, among other things, “publicly available information” and “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”
Basically what this means is that if this part of the regulation takes effect, it could potentially be a game changer in terms of DIDs being differentiated from other types of unique identifiers. As long as the DIDs don’t reveal information that could lead to the identification of a person or device, they can be an effective tool to help organizations stay compliant with many data regulations.
As of July 19, 2022, the World Wide Web Consortium (W3C) announced that DIDs is now an official Web standard. This can help provide better control of information, enhance security, improve privacy, and enable more organizations to meet compliance requirements. W3C is a global organization that sets technical standards for the World Wide Web.
What Is the Current Standard in Password Policy?
Password storage best practices suggested by the National Institute of Standards and Technology (NIST) in the US are deployed to protect against unauthorized use of passwords. Passwords for user accounts are usually stored using a recommended industry standard encryption method. This helps to protect the passwords in case they are ever accessed by unauthorized individuals.
But a better practice in order to achieve true minimization would be the application of Zero-Knowledge Password Protocol as recommended by NIST to minimize the amount of data that is revealed during authentication. This protocol allows a requester to authenticate to a verifier without revealing the password to the verifier. With tools like Dock’s Web3 ID, users won’t even need to use passwords at all to access websites and apps.
Data Compliance Use Case Example
SaaS company ABC is getting ready to roll out their new subscription product that provides access to licensed material created by ABC to its customers and their employees. ABC has no intention of collecting any personal data from its customers, but it will need to validate their users for access to their product.
Because ABC is a startup that wants to protect their customer’s privacy, the company would like to ensure it takes practical steps to be compliant while also meeting the requirements of their investors, business partners, and customers. They also want to be compliant without having to hire additional service providers or resources for the maintenance of a stringent security program.
By integrating Dock’s Web3 ID authorization and authentication system on their platform, ABC users can securely log in with their unique DIDs to access ABC’s product while maintaining their privacy. By logging in with Web3 ID, users won’t need to use passwords at all.
By enabling customers to conveniently access their products with DIDs, ABC experiences these benefits:
- They can confidently demonstrate to their customers and potential customers how they practice data minimization which can greatly enhance their reputation
- They don’t need to store any personal user data
- They can request data from users and allow them to prove it through selective disclosure and zero-knowledge proofs, which enables data minimization
- They don’t need to worry about resetting, updating, and maintaining usernames and passwords
- They can easily verify their users without having any role in managing changes to their users’ authentication credentials
- They prevent account takeovers. Because DIDs are backed by cryptography, ABC can ensure that each user is who they say they are.
The Importance of Data Compliance in Healthcare
Dr. Charles speaks about the importance of blockchain vendors being compliant with data regulations at the 33 min and 38 second mark.
BurstIQ is a company that is using Dock’s Verifiable Credential technology to make health data in their system verifiable, secure, and portable. Dr. Wendy Charles, BurstIQ’s Chief Scientific Officer, went on Dock’s Identi3 podcast and spoke about the importance of blockchain vendors being compliant and up to date with regulatory requirements.
Dr. Charles has been involved in clinical trials for 30 years and has an extensive background in regulatory compliance and operations. She said that some regulations require organizations to evaluate and document their approach in the entire software development lifecycle. Many of the technical controls and safeguards must be built into the technology itself for the capture and review of event logs.
But when she speaks with blockchain vendors, she’s concerned that many of them don’t know the extent of their regulatory responsibilities or conduct enough due diligence to document their approaches. If blockchain vendors aren’t compliant, they can’t even be used by regulated organizations. Even if they did get used, it could create vulnerabilities as patient information could be exposed and lead to highly publicized issues.
When she speaks with regulators directly, they insist that blockchain is not incompatible with GDPR. It just requires organizations to do enough due diligence and planning.
Best Practices in Data Compliance
- Understand the type of data that is being collected and why
- Limit the access and/or control of personal data as much as possible
- Stay up to date with the latest changes in requirements adopted by privacy laws and regulations
In relation to data compliance, Verifiable Credentials and decentralized identity technology solutions provide an efficient and secure way for individuals to manage and share their personal data with organizations. By allowing individuals to control which attributes or pieces of information are shared, these technologies support the principle of data minimization. They also enable more transparent and accountable data sharing processes, helping organizations comply with data privacy regulations. The use of digital signatures and cryptographic algorithms in Verifiable Credentials and decentralized identity systems helps ensure the authenticity and integrity of data. Overall, these technologies can play a valuable role in data compliance efforts.
Decentralized Identity Technology Features That Can Help Organizations Be Data Compliant
Secure and privacy-preserving authentication and verification
Dock’s Web3 ID is a blockchain-based authentication and authorization system that puts user privacy first. Developers can grant access and verify end-user eligibility by requesting private data from users' non-custodial identity wallet apps. User consent is always required.
Zero-Knowledge Proof (aka Zero-Knowledge Protocol)
Zero knowledge proof is a method where someone can prove that something is true without revealing the actual details that support that proof.
- Someone logging into a gambling site can confirm that they are over 18 without revealing their birth date
- Proving ownership of certain assets without revealing the specific details or exact quantities
- Eligible users of an association can vote anonymously and verify that their vote was included in the final tally
Selective disclosure is when you share some information while keeping other details confidential. You can share specific data with certain people, like only giving a payment card number to a verified merchant but not your address. Or someone may show a necessary part of their credential like their name without showing an entire driver’s license. Selective disclosure helps keep people in control of their personal information.
One example of a company using selective disclosure in relation to data compliance is a healthcare provider allowing patients to share their medical information with insurance providers while keeping other details confidential. The patient can show their insurance provider only their relevant medical test results and documents for the claim while keeping other medical details private. This allows for secure and compliant data sharing while also upholding the patient's right to privacy.
The Benefits of Leveraging Services to Keep Up With Compliance Regulations
Compliance and risk management plans can vary depending on the industry, type of company, or even type of product or service. That being said, compliance and risk management are increasingly becoming a mandatory component of just about any organization’s operation. Disregarding it, postponing it, or simply assuming is not applicable, will no longer be possible.
One compliance approach or initiative an organization takes may not necessarily be the best fit for another. That’s why truly understanding compliance requirements based on an organization’s own current operation, needs, and the needs of their customers can help leverage the right tools and services from compliance experts that are the best fit for them.
How Compliance and Agility Can Coexist
A compliance approach can be tailored to the basic need and budget. With the use of the right tools and services, a compliance approach can not only be cost effective, but it can also streamline agility, and even be used as leverage for a potential increase in customer base.
Implementing a security program tailored to address all applicable privacy laws is difficult. However, using an adequate framework to build an effective program can not only assist with achieving compliance with the various privacy requirements, but it can also serve as a competitive advantage by demonstrating the value the company places on the protection of personal information which generates trust with investors, business partners, and customers.
Contact Maecce if you have any questions about data compliance.
Data compliance is an important aspect of any organization's operation and helps prevent fines, claims, and data breaches with increasing regulations on how data is protected and handled. By leveraging the right tools and services, compliance can not only protect sensitive data, but it can also improve agility and enhance trust with customers.
These technology solutions can help organizations stay compliant and competitive:
- Decentralized identifiers (DIDs)
- Verifiable Credentials
- Decentralized identity
- Selective disclosure
- Zero-Knowledge Password Protocol
- Zero-Knowledge Proof
This content does not constitute legal advice and is not intended to be a substitute for legal advice and should not be relied upon as such. You should seek legal advice or other professional advice in relation to any particular matters you or your organization may have.
- Blockchain and Health Care: BurstIQ Use Cases
- How to Prevent Certificate Fraud
- How to Prevent Supply Chain Fraud
- Digital Credentials
- Blockchain Identity Management
Dock is a Verifiable Credentials company that provides Dock Certs, a user-friendly, no-code platform, and developer solutions that enable organizations to issue, manage and verify fraud-proof credentials efficiently and securely. Dock enables organizations and individuals to create and share verified data.