 Good morning and welcome to the Digital Supply Chain Institute's eighth blockchain Collaboratory. Thank you all for joining in whatever time zone you're in. Good morning, good afternoon, good evening. I'm Sean Muema. I am the Technology Research Leader for the Digital Supply Chain Institute and I'll be the moderator for today's meeting. We hold these sessions periodically to inform our members on current technology trends and have recently focused on the enablement of enterprise blockchain networks, which is the focus of our discussion today. And we'll focus in on the the EU General Data Protection Regulation and its impact on on blockchain when using it as a enterprise workflow automation tool. So again thank you for joining and as we get started here let me turn it over to George Bailey, the managing director for the Digital Supply Chain Institute. George? Yeah thank you Sean and welcome everybody to this meeting and I'll just see a few things to explain a little bit about the organization that we're part of. Not all of you are members of the Digital Supply Chain Institute but I think all of you will be interested to know about what we do and how we do it. And we are, as it says on the slide, a leading edge research institute that's focused on where digital supply chains are headed, where they're going. And I think there's three things that make us especially different from any other organization out there today. The first thing is the quality of our membership. We have a whole set of leading edge companies, great companies from around the world who are part of the Digital Supply Chain Institute. And in all cases it's the very top of the house that represent their company. So we have for example Colgate Pomalov, a fabulous company, and their head of supply chain is a member and their CIO is also a member and participate heavily in all of our work. Same thing is true for Dell and SAP and so forth and so on. So we're really lucky to have high-quality membership, not just the companies but also the people who represent those companies. And it's a mix of large companies from around the world but also some leading edge and innovative new companies. So for example in Chile we have a company called Anastasia, or Anastasia, and you know their founder and leader is on the call with us today. So large and small companies, great companies, high quality. Second thing that makes us different is the kind of work that we do. We do applied research. We do work about what does it take to really get the benefit of a truly digital supply chain and how to make sure that's executed as rapidly as possible. And you know our founder is Sam Pomazana who was the CEO and chairman of IBM and he makes sure that whatever we do is not theoretical but applied. Something that can be done, implemented, executed, and result in superior financial return. So it's the quality of the research. And the final thing I'll mention that makes us different is we have the really high quality meetings around the world that bring people together to share ideas and learn from each other. So and this is a big asset. So we had one recently in Santiago. We had one before that in Waldorf. We are going to have one this year in Belgrade and another one in Dallas. And in each case these meetings are sponsored by a leading company and also held in a venue that's really special. So we generally have about 100 or so top executives attend and the idea sharing that goes on is simply extraordinary. And the amount of networking that happens as a result of those meetings is also extraordinarily positive. So those are the three things that make us different than other organizations. And we've been focused on the things that really help a supply chain be successful. So for example, algorithms. But the one we're talking about today is a very special supply chain using blockchain. And this is something that's 2016 we've highlighted. We said, you know what? Supply chains really could use the value out of a blockchain system. Now what we know is not true. But on the other hand, when you apply it correctly, you can get substantial gains. So we have one member company that we work with extensively who achieved 33% reduction in cycle time, 30% improvement in productivity, meaning less cost and 11% improvement in quality. So that's really a breakthrough result that happened because blockchain just worked that well. So you're here, the panelist they talking about how that happens. And you're also going to hear about how you need to do blockchain in the right place, but also taking into account the legislative environment that we that we live in around the world. And that's going to be a big focus of this discussion. So, Sean, I'll turn it back to you now. Thanks. Thanks. Thank you, George. We're going to focus in today on on the paper that we wrote on on blockchain and in GDPR. We wrote it in conjunction with with Slaughter and May and Kravaz, Swain and more. We have partners from those organizations with us today that they will take us through the research in the findings. The papers are there's two versions of them. First, the long paper, the full version is March of the blocks. And then and then there is a shorter version called the right to be forgotten meets the immutable talking about the fact that once you write to blockchain, it's it's immutable. So how does that intersect with with the data privacy regulation? Those papers are both available on our website. In addition, the longer paper, March of the blocks is available on page tiger. Please download those read them, you'll find them find them interesting. So with us today, authors of the of the paper Rob Sumroy from slaughter and may he is a data protection expert, one of the foremost in his field. So he will lead the conversation, the paper and Dave Capos will support him, who is one of the foremost, foremost attorneys in IP. Dave ran the US PTO patent and trademark office for for a number of years as assistant secretary of commerce. Unfortunately, Jody Clayworth was going to join us today. He is the founder of Marine Transport International. And we used MTI as as the example within within the paper. Jody unfortunately had a medical emergency today in in can't make it. So you're you're stuck with me backfilling his role. Next slide please. What we'll do is is we'll walk through I'll tell you a little bit about MTI. Talk talk a lot about the paper, and then then wrap it up with a little roundtable discussion before you open up to to questions. So a little background on MTI, which, which I mentioned, we used as as as the example throughout the paper, MTI is specializes in blockchain for the shipping industry. Jody and his team have have been in the shipping industry for for 20 plus years. And they have formed a have developed a blockchain, they call it an adapter that sits between systems of records such as SAP and the in the blockchain database architecture. So this this has enabled MTI to to then develop pilots with with the Port of Rotterdam and also Hall in the UK. And in they have formed a close working relationship now with Her Majesty's revenue and customs as which is exciting times, of course, with with Brexit. Jody approached us probably about six months ago, said, gee, you know, I understand shipping, I understand technology, I understand blockchain. But but people are asking me about GDPR compliance, and I don't understand that so well. Can you help us? So we we kicked into gear, talk to talk to Dave and Rob. And we said this is a interesting subject for us. There's nothing out there today that that provides guidance on the issue. In fact, there was very little at the time about GDPR compliance in general. We got together and and wrote the paper that we'll we'll talk about today. Next slide please. Rob, if you'd like to pick it up. Sure. Thank you, Sean. So yeah, it's a pleasure to be presenting here on this. I would say this slide and the next one, they're both overview slides. The first one is an overview on blockchain and the second one is an overview on GDPR. And the challenge to summarize blockchain in a page or GDPR in a page pages is always a bit of a tasty challenge. But let's give it a go. I think we're assuming that most of the people who are listening in on and watching on this webinar will have some idea about blockchain and distributed ledgers. So we're neither going to go back to the beginning, nor are we going to go very deep into technical explanation, because of the time. But what we're trying to do here is describe some of the facets of blockchain and distributed ledgers that are relevant to the question as to whether this technology can comply with the privacy requirements around GDPR. So you know, one thing we know about blockchain, the I'd say one of the great things about the technology is that it's each block in the chain is a measure. It's a collection of data. And the each block then also contains a hash of that data. And every time you add a new piece of data on a new block on it not only has all of the information from that block, but it will also contain all of the hashes of all of the previous of the previous block. And so in that way, it becomes a chain. And it also means therefore that if you make any change to any block along the chain, it will not be consistent with the hash of that block. And that's what breaks the chain. So when people say the blockchain is immutable, what we really mean by it is it's an absolute verifiable record of the truth. And it is very easy to see where it's been tampered with. That's what blockchain is. Why is it useful for people like MTI, we're going to come and look at their case study in a minute, but it works very well as a technology to do distributed ledgers. Now, distributed ledger is exactly what it says on the tin. It's a ledger. So it's a record of data which is distributed. In other words, it's not just in one place. There isn't one official record of data which is controlled by a party or a person or an appointed custodian, but rather the network of nodes or the network of participants, everybody on that network has their own copy of the ledger. And because it uses blockchain technology, each one can on a consensus basis check that it says the same as everybody else's. And as long as the majority of people in that network have a record that says the same thing, that is the verifiable truth. And that's basically how blockchain distributed ledgers work. And as you can see from this slide, it uses powerful encryption technology, which means people can control what they put up there. And there's a lot of an ability to keep things private on the chain and to control it, make sure it's not tampered with. It's an add only ledger, a bit like bank ledger. So once something's on there, it's never taken off. It's just you add to it. The two sides of the ledger will always add up to each other. And the final thing I'll say in the overview is that there are many flavors and styles of blockchain, but two distinctions it's worth thinking about certainly from the GDPR compliance perspective, whether a blockchain is public or private, on the one hand, and whether it's permissionless or permissioned. So just to very briefly explain that, as it says, as you would expect by the words, a public blockchain is one where anybody can join, there are no rules, anybody who's got anybody who downloads the software and basically download the blockchain and keep a record. And as long as they've got sufficient processing power, then they can be part of the blockchain. Whereas a private one is a club, and you have to join it, you have to be given permission to join there are rules and governance around it. And then permissionless versus permissions. Well, again, it's a similar thing, but permissionless means anybody can add to the blockchain, anybody can add any transactions, anybody can add any data, whereas permissioned, it's controlled by the rules of that by that distributive ledger. And so although people talk in very general terms about blockchain, it is important to think about whether something is a truly public blockchain in the very broad philosophical sense or more private, and whether it's permissionless or permissioned. So I think Sean, I mean, I'm very interested for you or for David to add in anything in terms of the overview, but from our perspective, those are the factors of blockchain technology that make it an interesting case study for GDPR. Yeah, yeah, right, Rob Dave here and and thanks, that's a great summary. I would just add a couple points, scoping out and taking a look at the big pictures, you know, as Rob has explained, blockchain is a powerful technology and you know, and it truly adds to what information technology can do for business. If you scope up a bit and just, you know, ask the sort of the really big picture question, what does blockchain do, you know, sort of on the level of the internet, the internet enables people anywhere in the world to get access to information, and and now business processes put in place and promulgated by others. And the blockchain for its part in the concept of blockchain at its highest level is really about trust. And this is why you're going to see in a minute how how it works so well in an application like MTIs. But but blockchain fundamentally, you know, because of the aspects that Rob explained, enables people who don't know each other to gain trust in one another and businesses that don't know each other to trust one another and people who don't know businesses and people and businesses who don't know people to nevertheless, trust them. It also fundamentally changes the nature of the way we look at systems, databases and information technology, because it enables us to reimagine what had historically been centralized systems by definition, because we needed one trusted source for information, whether it was the government or a single business or whatever, to reimagine those centralized systems as distributed systems where there's no single point of trust, but trust comes from the ability for all the participants to look at and verify what all the other participants are doing. So I'll stop there. But I just thought I'd add those sort of big picture points and back over to you, Rob. Thank you. That's great. And Sean, I think we can move on to the next slide, because now we're going to have a look at an overview of GDPR before we then tie them together to answer the critical question that NTI were asking us, which is, can you have compliant GDPR compliant blockchain? So again, I'm sure many people on the webinar and listening in will have heard of GDPR. It stands for the General Data Protection Regulation. It's an EU regulation. So it's a law which applies to the in the EU member states. It became effective in the middle of 2018. So as you can see, we are very close to the first anniversary. I would say it's still very much new law. So what I mean by that is guidance from the national and cross European regulatory bodies are still coming out. Just by way of example, and I suppose by coincidence for this webinar, only yesterday, we had the 10th plenary session of the European Data Protection Board, which is the groupings of European regulators, who whose job it is to ensure the implementation of GDPR in their national territories. And on the agenda for the discussion of the 10th plenary was blockchain. We have got hold of the minutes from it. But actually there's nothing written at all on that agenda item. So either they didn't discuss it. I don't know if anybody on this webinar was attending the plenary session and can feed in some information, but either it wasn't discussed or nobody's written the minutes up yet. But it just goes to show that it's it's when we're talking about can you be compliant with GDPR when you're implementing a blockchain solution, that would be an interesting question if the law and the guidance was settled. But it's still a very moving feast. It's not just relevant in the EU, which I think is an important point. The regulation has, in effect, cross territory jurisdictional reach. It is relevant to the processing of personal data or data about living individuals. It's relevant if that processing is in connection with an establishment in the EA. So obviously, lots of processing relevant to EA establishments can go on outside of Europe. It also applies if an entity is established outside of the EA, but they're offering services for sale or monitoring individuals in the EA. So it does have quite a broad reach. The other reason why I think the question is relevant on a global basis and not just on a European basis is because there are new data privacy regulations throughout the world. We're seeing states and Dave Kapos can talk to this much better than I did. I can have state laws and possible federal laws in the US, but also in Asia and across other parts of the world in in Australasia as well. And whilst they're not all the same as GDPR, a number of the principles and concepts that we see in GDPR are now common to a number of laws. So I think this question that CGE has has raised is a really important one, which is how can we make sure we are able to implement blockchain and still protect people's privacy rights? So let's look at some of those principles of GDPR as they might apply to a blockchain solution. I think GDPR in itself represents quite a significant shift for data privacy, certainly within Europe, because it's introduced a concept of a fundamental right of an individual to control what is done with that person's data. So in other words, data privacy and compliance can no longer be a bit of an afterthought. So we can't have MTI implementing a blockchain solution. And then as an afterthought thinking, oh, how do we get our lawyers to tell us that this can be compliant? They actually need to be designing the compliance with privacy regulation right in at the beginning. And this privacy by design principle, which comes out of Article 25 of the GDPR is really intended to change organisational attitudes towards the protection of personal data to try and make it a pervasive issue that's considered by all organisations as business as usual. So MTI would good to ask the question, I think is one thing. But there are some other principles which it's worth as considering. For example, the person processing individuals data should only do it for the purposes that they have obtained that data. So it's this principle called purpose limitation. And so if you have a blockchain solution, which maybe can be used for various purposes, you have to always be engaging with the individuals whose data you're doing to make sure that those purposes are still consistent with the reason they gave you the data. There's another key principle around minimisation. It's this idea that you should only process data to the maximum extent net or the minimum extent necessary, I should say, to achieve your legitimate aims. So a lot of new technology in the digital world, not just blockchain, but AI and other types of new technology gets a lot of benefit from maximising the processing of data. And that seems to be at odds with this principle around minimisation. There's also a key principle around individuals, so called data subject to the data belongs to having certain rights. And we're going to look at those in more detail in this webinar, but things like the right to know what data you have on them and understand what you're doing with it, the right to access that data, the right to rectify it if it's inaccurate, and in some cases, the right to have it erased, the so-called right to be forgotten. And then the final principle, which I'm going to talk about is the fact that data, sort of a localisation element, that data needs to be kept within the EEA, unless either it's going to a territory where there are adequate protections and those are decided by the EU regulators, or the various people exporting the data outside Europe and importing it into non-European countries have entered into the requisite contractual arrangements. And so there's quite a process driven administrative element to data leaving Europe. And when you have a global solution, which blockchain often is, that can raise issues. The final thing I will say is that the regulators, like I mentioned, the European Data Protection Board and some of the national regulators are focusing very clearly on new technologies, things like blockchain, these are where personal rights are seen most to be at risk, where individuals are perhaps least likely to understand what's happening to their data, and what the impact of them giving you their data is going to be. And so, for example, they require what are called data protection impact assessments to be carried out by people processing data. And so very much in the blockchain solution environment, you would expect people to be implementing these DPIAs, these impact assessments to really understand what the impact is on the individual before setting up a technology. David, I don't know if you want to add anything around general GDPR overview. I've left the harsh penalties bit for you to underline. Yeah, thanks, Rob. I'll come back to that. Indeed, harsh penalties, as we're seeing from a few of the early investigations that have occurred, going after companies that are that collect and process a lot of personal information in Europe. In some cases, American based companies, but companies, you know, think Facebook as an example, Google as another example that do lots of business in the EU and collect lots of data there. And as Rob was alluding, the fines are up to 4% of annual turn. So they can be very serious. You're just a couple of other comments that I'll add again on the kind of big picture level. As Rob mentioned, the GDPR applies not just to European companies and people, but really anyone who's doing, broadly speaking, doing business in Europe. And that means it really applies globally, and it applies to any any company with a global business. What I'm seeing as a US based lawyer, when I advise US based client is that as I asked them a few questions, even if they don't initially think that they need to pay attention to the GDPR, we almost always find that they do. So think of GDPR very broadly. We may talk later about other as Rob alluded to similar legislation in other places, but we come back to that later. One other comment that I'd add is that as Rob mentioned, there are these rights in the GDPR, the so-called right to be forgotten, which as Rob mentioned is a qualified right, meaning it's not absolute. But in many cases, a person whose personal information has been collected has the right to tell the party that collected it. I want you to delete it. I don't want you to know about me. And then secondly, as Rob also mentioned, there is an absolute right to rectification, meaning that if you as a person defined that a party that's collected data about you has false erroneous incorrect data, you have the absolute right to have it corrected. The reason I bring back to these two points is because if you think about them and as we find, as I find in my day-to-day work advising clients in order to comply with these requirements, your business must keep much better track of the data that it's collecting. I regularly run into situations where we talked about this in the client at a technical level, like the CTO, the CIO at the client will say, well, wait a minute, we don't actually have a way to track how to find people, how to verify their information, how to verify their identity, even if they came to us and said, delete information about me or fix information about me, we don't necessarily have a way to find that information. So that gets to a major new requirement inherent in these GDPR requirements, which is a technical requirement to track correspondence between people about whose information is collected and where that information is stored so that you can comply with the GDPR if and when you're asked to either delete someone's information or fix an error. It's all stopped there, but I just again would say GDPR has very broad, very global applicability, and it almost across the board requires some attention to information technology systems in order to comply. And back to you, Rob. Okay. Thanks, Dave. So if we just go over to the next slide, we, Dave and I were approached by Sean and others at CGE with MTI as a case study to, with this question, which is, can blockchain solutions comply with GDPR? So the first thing we did was we said, well, okay, why, why will blockchain not be compliant with GDPR? And that's sort of up on the slide now. I think there's one more bill that's still on the slide. I don't know if you can, there we go. So we're not going to spend a lot of time on this because actually what we're, what we're trying to say is how can it comply rather than what could the problems be? But just set the scene, as you can see here, looking, you know, on the left, we've got some of the key factors of blockchain, which we've already introduced, like, you know, it's a great way, it's a great ledger solution. So it's a fantastic way of securing and processing personal data. Just for those who aren't aware on the terminology, processing is really anything you can do with data. So any verb you can think of, including storing, but certainly, you know, processing, transferring, transacting, transmitting, whatever, processing personal data. But of course, as we've said under GDPR, there's a very important requirement of data minimization. So there is already a potential conflict. Then you say, well, blockchain is a fantastic solution because it's immutable. So in other words, it's there forever. The data cannot be deleted. It's there forever in time. And yet Dave Kapos and Kravath has just told you that there is an absolute right of rectification and a qualified but pretty firm right to be forgotten. So there's a conflict. Then we've got an issue that says the blockchain is global. It doesn't believe in national borders. That's the great thing about it. And we're going to look at the MTI solution. It's frictionless. Data transfers everywhere immediately. There's a copy of the of the ledger at every node. And yet GDPR requires data to be kept within national borders or certainly regional borders, unless there's some very strict provisions. Okay, then we've got the fact that blockchain is new technology and it's being implemented in a way that maybe people won't understand it. And GDPR says this all has to be done with privacy built in. And the final point is that the cost blockchain is distributed. And particularly if it's in a in a public blockchain permissionless, anybody could be on that network and anybody could be doing anything with the data. And yet GDPR has certain requirements of the individuals need to know who has the data. We call it the fair processing information. So who are the controllers of the data and what are they doing with it? So I suppose this is one slide of showing everybody that Dave and I understood the question. We could see that there were potentially conflicts. What we did digging around this, there were a lot of people in the technology and legal sectors who were talking about the potential problems, but there weren't enough people from our perspective. There wasn't anybody who really was coming up with a clear vision or paper as to how actually these two could be consistent and how we could have a compliant solution. And we are I think, if I'm right Sean, we're going to move on now to look at what MTI's particular solution does and why they have their solution. And then Dave and I will talk a little bit about how we think that the MTI solution can comply with GDPR. And actually, by the way, with that, sorry, I know we don't have Jodie on and this is probably a slide Jodie was going to speak to. I am more than happy to give this a go. Or Sean, if you want to chat to this one, let me know. Yeah, why don't you go ahead, Rob, and I'll support you on it. Okay, cool. All right. So what we understood, and it was my first personal sort of foray into the international shipping industry, so so this was useful. But what we understood from Jodie or what MTI are trying to do with their solution is to deal with some of these issues that you see on the slide. So when you ship large containers around the globe on the back of transporters, big shipping transporters, it won't supply to you that there's a heck of a lot of data that needs to be recorded. There's a lot of regulations. You need to know what's inside the containers. You need to know who's responsible for it, and you can't move them from one place to another without getting sign off. And this is a very data intensive process. But with the current technology, there are certain problems. One of which is that there's a lot of sort of lack of transparency and lack of trust in that the various people playing in the market tend to be competitors and they don't like the idea that everyone will have access to everybody else's data. And they don't like the idea also that they're going to be sort of operating on any particular platform or technology that one of them is developed. Another problem that they have is that is around sort of this discrete transactions creating friction and the data silos, which is as good to move around the world, what tends to happen is that each place it goes, the paperwork will be signed off and sent on to the next place, then it will be signed off and sent on to the next place. And because this is not a distributed ledger, nobody further down the chain can start work until they've actually got the paperwork. And so it's a hugely slow process, very inefficient. And there are significant amounts of regulations which require that extensive records can be kept. And yet there's no obvious technology solution for doing so. So far beyond my own technical capability or knowledge, people within MTI have developed and devised a fantastic solution with particularly with a very clever piece of middleware, which means that it can this middleware can sit on top of any network or blockchain network solution and enable all sorts of consortia of shipping companies and stakeholders within the shipping industry to have one distributed ledger in which all the data can be stored in an encrypted and secure manner. And everyone can access the data at all times. Everyone can know around the world where everything is happening and can act on it in a time that works for them. That is the solution that they have adopted in order to deal with the particular data problem that they have. Again, Sean, Dave, I don't know if there's anything you want to add before we move on to the privacy by design elements of it. Yeah, thanks, Rob. To me, this is the shipping is the perfect application for blockchain in creating cross-interprise trust among disparate parties that naturally don't trust the information that they receive. It's not timely today. There's lots of metal men, lots of friction in the process. It's very surreal. I've seen research that says shipping costs could drop by more than 30 percent using an automated workflow solution such as blockchain. And MTI certainly has been on the forefront of providing that sort of solution. Back to you, Rob. Well, hey, Sean, thanks, Dave here. Just a couple of further comments. One is that if you're sitting there thinking, you know, so this is the shipping industry. How does privacy and personal information come up? It's a good example of how it turns out. PII private, you know, personal information comes up just about everywhere. We were asking that same question Sean and Rob and I when we first started working with Jody on this project on scratching our head saying, Jesus, this seems like it should be easy because you're talking about data about pallets of widgets and bills of lighting and things about information about objects, things that are inanimate and don't involve people's privacy data. And then as we began speaking with Jody and looking at some of the examples that he presented to us of the data that MTI is required to collect and manage, we began seeing things like signatures of people, driver's license numbers, photographs of trucks as they're entering and exiting ports and in the photographs are included the bright shining smiling faces of the drivers of those vehicles and on and on and on. And so what we found very quickly is that even in an industry that you wouldn't think is characterized by large amounts of privacy information, there is all there's plenty of it. And it turns out there's a lot of it with with data being collected on such a ubiquitous and extensive nature now and just about everything that happens in the world. It won't surprise any of you on this call that almost no matter what industry you're in, you will be collecting and exposed to and dealing with lots of PII. The other thing that I thought I just come back to for a moment, Rob mentioned this was the importance of the middleware layer and it really does turn out to be important as the crux of the solution. We'll come back to it in a few minutes, but I just want to be sure everyone has in mind that the presence of a middleware layer in a blockchain turns out to be critical to being able to not only manage the technology, which is why Jodi created it in the first place, but also to be able to manage the PII issues. And then the last thing I'll just mention briefly is that what you heard from I think both Sean and Rob was the challenges of getting parties to work together in this industry. It turns out that we found from from this experience and others and from the developing use cases for blockchain more generally that no industry we've seen yet is destined to have a gigantic number of blockchains. And the reason for that is that network effects play a significant role. And as a result, what we're seeing is that industries can support at most a couple of blockchains, usually more like one for a solution like the one that we're talking about here that's intended to have global and broad based implications and adherence. And as a result, to make a make this solution work from a business perspective, you've got to get the six, eight or so biggest players in the industry or more are working together and sharing information and putting these things together. And that comes back to Rob's point at the beginning that it's a real challenge to set these things up. We're finding that a joint venture structure is the one that works. And the reason I mentioned all of this is that having the joint venture on the business and legal side turns out to provide the opportunity for the governance that maps and matches with the governance on a technical level that takes place in the middleware. And it's those two things together, the business contractual legal governance through the joint venture and the technical governance through the middleware layer that is the if you will is the Eureka moment that enables blockchain and GDPR to co exist. And when having set that up that way, I'll now turn it back over to Rob. Thanks, Dave. So if we just very quickly flip to the next slide, I actually think we've probably covered most of these, but this is just confirming that MTI solution raises genie VR issues. As Dave quite clearly says, there's a lot of personal data that you need or that you will come across in a ledger related to international shipping. The companies are established, not just in the EU, but doing business or processing and connection with EU establishment. If you distribute the ledger, then this ledger is then going to be on computers, on servers all around the world. And that each one of those can then be a data controller or a regulated entity on the GDPR. So, you know, it does pose issues. If we move now to the next slide, this I suppose summarizes our privacy by design solution for MTI. There's quite a lot of words on there. So let me just pick a few things out. The first thing that I think we would say is if you want to operate a public permissionless blockchain in true, you know, fundamentalist blockchain distributed ledger fashion, it is going to be extremely difficult. We might say impossible to comply with GDPR if personal information, personal data is going to be processed on that. So I think the first thing that makes MTI's solution a sensible privacy solution is that it is a private blockchain solution and it is permissioned. And this goes to the joint venture that Dave just talked about. And we're going to talk quite a bit about having a proper governance process and governance arrangements in place between each of the participants. It is the ability to have participants agreeing to a set of rules and regulations and having it as a closed blockchain solution that enables GDPR compliance. So the next thing that is good privacy advice as we would always say is why do you need to process personal information in the first place? Now, Dave has already told us that there's a lot of personal information, personal data in the shipping industry, but that doesn't mean that it needs to be on the blockchain. And so one of the things that we helped Jody and his team design for MTI is to have privacy if you like kept off chain. And this relies on clever encryption technologies. But in effect, the data that needs to be on the chain, say it might be the record of a shipper's name and address and email contact details and maybe a photo scan of their signature, rather than that being put on the blockchain, that will be hashed with some strong technology, some strong strong encryption and it will only be the hash outcome of that personal information that's actually stored on the chain. And the actual personal information will be kept off chain. Then if anybody needs to access that personal information, the blockchain technology will give them the hash and will explain to them how in effect they can get hold of the information through the off chain governance route. And they will then get access if they need it, they'll get access maybe proof of identity off chain. So the ledger still does its job properly. It still has data passing around the world in a frictionless way. It's immutable. It's a verifiable true picture of what is the truth. But the personal data is only on there in an encrypted way. Now encrypted data is still personal data for the purposes of the blockchain in many ways without having got enough time to go into the details now. But GDPR has a concept of pseudonymization and in that sort of situation where it's encrypted, but there is a key for you to unlock it, then the encrypted data on the chain with access to the key means that it's still personal data for GDPR. But it's significantly easier to comply with GDPR if what you have on the blockchain is the hash rather than the personal data itself. So we have, as I said, private permission blockchain. We keep as much personal data off the chain as possible. One of the amazing things that Jody's solution at MTI does is it uses or it proposes to use AI and other sophisticated technology to actually prevent people from uploading personal data onto the blockchain, except where it is absolutely necessary for the purposes. And you can already hear there the language of the GDPR. Don't upload it onto the chain unless it's absolutely necessary for the purposes. So people may want to, for example, upload someone's name or email content details where they don't need to do that. The middleware technology will block that. So that is another privacy by design solution that will help Jody's technology to remain GDPR compliant. I mentioned the governance framework and by having a set of rules between the various stakeholders, those who are running the nodes of the blockchain, we can ensure compliance with GDPR around things like making sure that the information, the fair processing information is provided to all individuals at all times. So if data is going to be processed on the blockchain, each of the individuals will have access to information about who those stakeholders are. They will know how people can get hold of the hash keys in order to see personal information and the security around the access to those hash keys will be controlled as well. And also all of the contractual provisions that are required, the model clauses to enable data to be transferred outside of the European Union and across borders can be included in the governance framework and the governance contractual arrangements. So they've alluded to it earlier with the joint venture, but by having some sort of venture, the consortium members around the blockchain signing up to a significant governance framework really can go a long way to ensuring GDPR compliance. We then get to, I suppose the hardest elements of GDPR compliance, which as we talked about earlier, these individual rights, like the right to be forgotten or the right to have incorrect data rectified. And these are most difficult because inherent in the technology, this immutability is in effect not deleting data. The data will be there for all time. And so the question is, how can we really get over this? How can we make a blockchain solution like this comply with these? Well, there are certain technology solutions pruning the blockchain, where after a period of time, if you like the historical elements of it can be snipped off, or by using significant encryption technology which which can't be reversed or the keys are destroyed. Technology that NTI are talking about adopting around forking the chain, which again, it's where you get all of the stakeholders or all of the nodes within the blockchain to agree that a historical part of it will be set to one side and the blockchain will literally fork off in another direction. These are all potential ways of ensuring that historical data can be in effect deleted. But it still leaves us with a potential problem because as an individual, if I have the right to have my data deleted, I can ask for that at any time. And the relevant data controllers have to respond to that and delete the data within 30 days. And the methods around pruning or forking are not easy. They take a significant amount of technology and significant amount of computer power and time and resources. And so our, I feel like combined suggestion for NTI was keep the data off the blockchain if you can. If you have to have data on the blockchain, do it on a hash basis. And then if people do have a right to have their data deleted, bearing in mind you can only have your data deleted where it's no longer relevant for the purposes. And the argument I suppose in this solution will be the historical record of the data will remain relevant for a long time. You can think of scenarios where somebody may have been recorded as being the shipper of certain cargo which they no longer want to be recorded on. Maybe it was erroneous, maybe it was an error and it needs to be rectified. And in that situation, our suggestion, and this is where we have a challenge for the regulators, our suggestion is that having all of the data on the blockchain in encrypted hashed form and then in effect requiring all of the stakeholders in this joint venture, all of the nodes of the blockchain to delete the keys that would enable you to decrypt the data, in effect that data is deleted. It is no longer possible to decrypt the data, not without a significant amount of computer power, which would not be at the hands of any particular individual. And at that basis, we would say that the data is virtually deleted. Now, there are differences of opinion within the European data world as to whether strong encryption and throwing away the key is sufficient to achieve deletion. Certainly, the pre-prerunner to the European Data Protection Board before the GDPR took the view a few years ago that strong encryption is not in itself sufficient or strong encryption and destruction of the key is not in itself sufficient to be deletion. But of course, that guidance was given five years ago, four or five years ago, and our call to the regulator now is that we need to update that. And if you look at some of the views coming out of France and Germany and the UK around the blockchain community, the view is that a use of strong encryption technology and an ability to delete the keys is all that would be required. So I suppose in summary on that point, and if you read the report that Sean introduced at the beginning of the webinar, there are two versions of it, but what we boiled down to is we say, you know, I suppose the question is, did we succeed in our task? CGE and sort of remain Prevath taken together, did we succeed in our task of proving that GDPR and blockchain can live together? I think the answer is pretty much there are a number of steps that you can take, which we've outlined in this presentation, in particular, using the private permission blockchain and keeping as much data off the chain as possible and having a strong governance framework. But at the end of the day, what we've also done is raise the challenge to the regulators to say help us, those of us who are trying to implement blockchain solutions, help us by giving us clarity, tell us that it is okay to achieve deletion by having very strong encryption on hash data on the blockchain and throwing away the key. And that's why I'm looking at the EDPB and their 10th plenary yesterday when they're discussing blockchain in a hope that having read our paper, they will be giving us a positive response. So that was a very quick rattle through our advice to MTI and now over to Dave and to Sean to add anything else. Yeah, thanks, Rob. Nothing really to add here, because that was a great summary. Just, you know, again, top line, keep the PII off chain, as Rob said. Use a hash on chain so that you can verify that the off chain PII is correct. To keep the PII off chain, use technical measures. That's the middleware in the case of MTI that technically avoids putting enabling PII to come on chain and use business measures through the structure of the JV, the governance that's set up to require participants not to put PII on chain. So I'll stop there. And I think, Sean, you want to come back on with the next section? Yes. Yeah. Thank you. Thank you, Rob. And thank you, Dave. One point that we can't emphasize, I think, strongly enough is that it was it's very, very difficult to be compliant GDPR compliant on anything but a private blockchain. So there's lots of public ones out there, but you don't know where the data resides. You don't know where the ledgers are. You don't know who has access to that. And you just you got to be on a private chain to be GDPR compliant. So let's a couple of questions here, Rob. I know you you need to run. So maybe Dave and I can can talk a little bit about questions that in my travels have have arisen from from people interested in the subject. You know, the first and Rob, Rob, thank you. Thank you very much. I'm fine for another five minutes. So I'm going to try and help answer some questions with you for five. And then apologies that I do have to run on the hour. OK, great. Well, the first question I and you hit this during the during the course of the of the presentation a little bit, but the question I'm most frequently asked is a GDPR that that just applies to be to see. So I'm not impacted by it might be to be business. Am I Rob, your thoughts on that? Good question. So so you broke up a bit, but I think what you were saying was is it right that the GDPR already applies to be to see businesses? The answer is no. That's that's not the case. So it applies also to be to be just it's actually quite simple. GDPR is the regulation which regulates the processing of personal data, as we call it, personal identifiable information. I think it's better known in some other jurisdictions, PII, but it doesn't matter whether that personal data is being processed as part of a consumer facing business or B2B and NTI is a good example here. There are going to be individuals who are acting in a business capacity, but they are responsible for shipping goods and for taking certain steps to ship goods and their personal identifiers, which by the way, of course, will include their name, their their image, their signature, their email address, but also their their transactional history and actually their other things. So their IP addresses, you know, so the history of their of their behavior and online can all be identifiers. Now, you know, for this reason, those of my clients that are B2C clients do tend to spend more time, money, effort, energy and sleepless nights worrying about GDPR because they are processing the data of hundreds of thousands of consumers. But as a B2B business, you will be processing the data of individuals and also, by the way, you'll be processing the data of your employees. And so it is in short, it applies to all companies and other entities that process PII. OK, thank you, Rob. One additional question here that I think is probably on the top of everyone's mind is you mentioned during that during the presentation that we've got a regulation, but the regulatory bodies aren't in a position to provide a lot of guidance right now. So what advice are you are you giving your clients, Rob and Dave? We're making it up. No, no. Look, so first of all, to be clear, I mean, the law, the law is the law and the regulation is quite detailed. You know, it's a big, it's a big weighty piece of legislation and there's a lot of words and a lot of recitals. So also a lot of the guidance that applied before the GDPR with the old European directive as it was then is still applicable or at least we're taking it as applicable. There's also a fair amount of case law. So in many people's view, one of the things the regulation did is that it codified the law that had come around through case law. And so it's not true to say that there's sort of a complete absence of guidance. It's just that it's slowly coming through. So, you know, I think I suppose what I would say is there is if you take the view that the purpose of the regulation is to ensure that we protect individuals right, but it's not intended to prevent companies doing good business. People like Dave and myself and firms like Provath, this little to May, we take a very sort of pragmatic view of this. We help businesses to find the way through. You know, there should always be a way through to be able to comply. And the other thing I'd say is because the guidance is being designed and developed as we speak, there's a really good opportunity for everybody. People like CGE, law firms like Dave's and mine, and also people like MTI and others to actually engage with the regulators and the legislators to define that guidance. So on an industry basis and on a jurisdictional basis, companies and individuals are consulting with regulators to try and define the guidance. So it is an exciting time. OK, thank you, Rob. And we're drawn to the end of our hour here. Maybe I can ask one last question here. And that's around additional legislation, particularly in the US and in China. Are we seeing that other countries are piggybacking on the EU legislation? And is this something that you should factor into your future design no matter where you are in the world? Or where you are in the world? Yeah, Sean, Dave here, and I'll help with that one. And I think to start with your last question, the answer is emphatically yes. You should design PII in to your solutions no matter where you're operating. And the reason I say that is because, number one, if you're a global business, you are touching on Europe almost certainly, as we have said several times in this presentation. But even if you're not, jurisdictions all over the world are following the EU. And we're very much in a global wave situation. In the US, the state of California, which is the world's sixth largest economy, even though it's only a single state here, so it holds considerable sway in its own right, has passed a PII law that is, in many ways, modeled after the GDPR. It goes into effect next year. Other states in the US are working on legislation. I'm aware of around 10 committees of jurisdiction in Congress that have or are putting together approaches, some of which will result in legislation. It's very likely that in the US will have federal legislation probably in this term of Congress, so within the next year and a half or so. And then if you go outside the US, Brazil has its own version of the GDPR that it has put in place and is standing up to implement. And other countries are looking at it as well. So I think before we're done and sooner rather than later, we are going to see GDPR-like laws on a global basis. And that's why we ought to all just come into compliance and implement IT legal governance approaches that comply with GDPR from the beginning. OK, thank you, Dave. And I'd like to thank you, Dave and you, Rob, for an excellent and very informative hour. My apologies to the audience for not being able to take questions. We will set up a blog on the DSCI website where you can submit questions and we will get you answers to those. And in addition, we will upload today's presentation to our website and make that available to you. So thank you all for your participation. It was an excellent and informative hour. Hope you all have a good day. Thank you. Thanks, Sean. Yep, bye.