 Hi, I'm Peter Burris and welcome to this week's action item. Once again, we're broadcasting from our beautiful theCUBE studios in Palo Alto, California and the Wikibon team is a little bit smaller this week for a variety of reasons. I'm being joined remotely by Neil Raiden and Jim Kabilis. How are you doing guys? We're doing great, Peter. I'm doing good. Thank you. All right, and it's actually a good team for what we're going to talk about. We're going to be specifically talking about some interesting developments and in 14 days or so, GDPR is going to kick in and people who are behind will find themselves potentially subject to significant fines. We actually were talking to a chief privacy officer here in the U.S. who told us that had the Equinix breach occurred in Europe after May 25, 2018, it would have cost, or Equifax, the Equifax breach, it would have cost Equifax over $160 billion. So these are very, very real types of money that we're talking about. But as we started thinking about some of the implications of GDPR and when it's going to happen and the circumstances of its successful failure and what it's going to mean commercially to businesses, we also started trying to fold in a second trend. And that second trend is the role of Bitcoin is going to play. Bitcoin has a number of different benefits. We'll get into some of that in a bit. But one of them is that the data is immutable and GDPR has certain expectations regarding a firm's flexibility and how it can manage and handle data. And blockchain may not line up with some of those issues as well as a lot of the blockchain advocates might think. Jim, what are some of the specifics? Well, Peter, yeah, blockchain is the underlying distributed hyper ledger, trusted database, underlying Bitcoin and many other things. Blockchain, you know, one of the core things about blockchain that makes it distinctive is that you can create records and append them to blockchains. You can read from them, but you can't delete them or update them. It's not a crud database. It's essentially for you to be able to go in and erase a personally identifiable information record on an EU citizen in a blockchain. It's not possible if you stored it there. In other words, blockchain then at the very start because it's an immutable database would not allow you to comply with the GDPRs required that people had be given a right to be forgotten is what it's called. That is a huge issue that might put the big kibosh on implementation of blockchain, not just for PII in the EU. But really for multinational businesses, anybody who does business in Europe coordination is like, disregard Brexit for now like Germany and France and Italy you got to be conforming completely worldwide essentially with your PII management capabilities in order to pass muster with the regulators in the EU and avoid these massive fines. Blockchain seems like it would be incompatible with that compliance. So where does the blockchain industry go or does it go anywhere or will it shrink? Will the mania die because of the GDPR slap in the face? Probably not. There is a second issue as well, Jim. Lisa, I think there is. And that is blockchain is allows for anonymity which means that everybody effectively has a copy of the ledger anywhere in the world. So if you've got personally identifiable information coming out of the EU and you're a member or you're a part of that blockchain network living in California, you get a copy of the ledger. Now, you may not be able to read the details and maybe that protects folks who might implement applications in blockchain but it's a combination of both the fact that the ledger is fully distributed and that you can't go in and make adjustments so that people can be forgotten based on EU laws. Have I got that right? That's right. And then there's a great area. You can't encrypt any and every record in a blockchain and conceal it from the prying eyes of people in California or in Thailand or wherever in the EU, but that doesn't delete it. That's not the same as erasing or deleting. So there's a great issue and there's no clarity from the EU regulators on this. What if you use secret keys to encrypt individual records, PII on a blockchain and then lost the keys or deleted the keys, is that effectively, would that be the same as erasing the record even though those bits would still be there to be unreadable? None of this has really been addressed in practice and so it's all a gray area. It's a huge risk factor for companies that are considering exploring uses of blockchain for managing identity and security and all that other good stuff related to the records of people living in EU member countries. So it seems as though we have two things that are likely to happen. First off, it's very clear that a lot of the GDPR related regulations were written in advance of comprehending what blockchain might be and so GDPR typically doesn't dictate implementation styles so it may have to be amended to accommodate some of the blockchain implementation style. But it also suggests that increasingly we're going to hear from a design standpoint the breaking up of data associated with a transaction so that some of the metadata associated with that transaction may end up in the blockchain but some of the actual PII related data that is more sensitive from a GDPR or other standpoint might remain outside of the blockchain. So the blockchain effectively becomes a distributed secure network for managing metadata in certain types of complex transactions. Is that in scope of what we're talking about Jim? Yeah, in fact you raised and alluded to a big issue for implementers. There will be on-chain implementations of particular data applications and off-chain implementations. Off-chain, off-blockchain will probably be all the PII in databases, relational and so forth that allow you to do deletes and updates and so forth and to comply with GDPR and so forth and similar mandates elsewhere. GDPR is not the only privacy mandate on earth. And then there's on-chain applications that yield where the data, what data sets will you store in blockchains? You mentioned metadata. Now metadata I'm not sure because metadata quite often is updated for lots of reasons, for lots of operational patients. But really fundamentally if we look at what a blockchain is it's a audit log. It's an archive potentially of a distributed fashion. Historical data that never changes and you don't want it to change. Ideally, I mean like in an audit log, let's say in the internet of things, autonomous vehicles crash and so forth and the data on how they operate should be stored either in a black box on the devices, on the cars themselves and also possibly backed up to a distributed blockchain where there's a trusted, persistent, resilient record of what went on. That would be a perfect idea for using blockchains for storing perhaps trusted timestamp, maybe encrypted records on things like that because ultimately the regulators and the courts and the lawyers and everybody else will want to come back and subpoena and use those records to analyze what went on. I mean, for example, that's an idea where something like a blockchain can simply might be employed that doesn't necessarily have to involve PII unless of course it's an individual person's car and so there's all those great areas for those kinds of applications. So right now it's kind of looking fuzzy for a blockchain in lots of applications where identity can be either where you can infer easily the infer the identity of individuals from data that may not on the face of it look like it's PII. So Neil, I want to come back to you because it's this notion of being able to infer one of the things that's been going on in the industry for the past 60 years is the dream of being able to create a transaction and persist that data but then generate derivative value out of that data through things like analytics, data sharing, et cetera. Blockchain because it basically locks that data away from prying eyes, it kind of suggests that we want to be careful about utilizing blockchain for applications where the data could have significant or could generate significant derivative use. What do you think? Well, we've known for a long, long time that if you have anonymized data in a data set that if you can merge that data with data from another data set relatively easy to find out who the individuals are. You add DNA stuff to that, EHR records, surveys, things from social media, you know everything about people and that's dangerous because we used to think that while losing our privacy means that we're going to keep giving us recommendations to buy these fancy shoes, it's much more sinister than that. You can be discriminated against in employment, in insurance, in your credit rating and all sorts of things. So it's I think a really burning issue but what does it have to do with blockchain and GDDR? That's an important question. I think that blockchain is a really immature technology right now and like all immature technologies, it's either going to evolve very quickly or it's going to wither and die. I'm not going to speculate which one it's going to be but this issue of how you can use it and how you can anonymize data and things that are immutable, I think they're all unanswered questions for the wider role of applications. But to me, it seems like you can get away from the immutable part by taking previous information and simply locking it away with encryption or something else. And adding new information. The problem becomes I think what happens to that data once someone uses it for other purpose than putting it in a ledger. And the other question I have about GDDR in blockchain is who's enforcing this? What army of people are sifting through all this data to decide who's in violation? Does it take a breach before they have it or is there or something else going on? Or is the act of participating in a blockchain equivalent to owning or having some visibility or something into a system? So I think it's a great question and GDPR again doesn't seem to have answers to that question. Jim, what were you going to say? Yeah, the EU and its member nations have not worked out have not worked out those issues in terms of how will they monitor enforcement and enforce GDPR in practical terms. I mean, clearly it's going to require on the parts of Germany and France and the others and maybe out of Brussels there might be some major directorate for GDPR monitoring and oversight in terms of both companies operating in those nations as well as overseas with European markets. None of that's been worked out by those nations. Clearly that's like, just like the implementation issues like blockchain or not blockchain we're moving in toward the end of the month with not only have those issues not worked out many companies, many enterprises both in Europe and elsewhere are not GDPR ready and some of them, I'm not going to name names may make a good boast that they are but nobody really knows what it means to be ready at this point. This came to me very clearly when I asked Bernard Mar a well-known author and influencer in the big data space in Berlin a few weeks ago at the data works summit, I said Bernard you consult all over with big companies what percentage of your clients and without giving names do you think are really truly GDPR ready for May 25th? He said very few because they're not sure what it means either everybody's cropping their way towards some kind of a hopefully risk mitigation strategy for addressing this issue. Well the technology certainly is moving faster than the law and I'd say argue even faster than the ethics it's going to be very interesting to see how things play out so just for anybody that's interested we are actually in the midst right now doing some nice piece of research on blockchain patterns for applications and what we're talking about essentially here is the idea that blockchain will be applicable to certain classes of applications but a whole bunch of other applications it will not be applicable to so it's another example of a technology that initially people go oh wow that's the technology that's going to solve all problems all data's going to move into the cloud Jim you'd like to point out Hadoop all data and all applications are going to migrate to Hadoop and clearly it's not going to happen. Neil the way I would answer the question is that blockchain reduces the opportunity for multiple parties to enter into opportunism so that you can use a blockchain as a basis for assuring certain classes of behaviors as a group, as a community and have that be relatively audible and understandable so it can reduce the opportunity for opportunism so companies like IBM probably are right that the idea of a supply chain oriented blockchain that's capable of assuring that all parties when they are working together are not exploiting holes in the contracts that they're actually complying and getting equal value out of whatever that blockchain system is and they're not gaming it while they can go off and use their own data to do other things if they want that's kind of the in-chain and out-of-chain notion so it's going to be very interesting to see what happens over the course of the next few years but clearly even in the example that I described the whole question of GDPR compliance doesn't go away. All right so let's get to some action items here. Neil what's your action item? Well, God I have a whole bunch of them I suppose but when it comes to GDPR and blockchain I just have a huge number of questions about how they're actually going to be able to enforce it and when it comes to personal information back in the middle ages when you went to the market to buy a baby pig they put it in a bag and tied it because they wouldn't want the piglet to run away because it's take too much trouble to find it but when you got it home sometimes they actually didn't give you a pig they gave you a cat and when you opened up the bag the cat was out of the bag that's where the phrase comes from so I'm just waiting for the cat to come out of the bag I think this sounds like a real fad that was built around Bitcoin and we're trying to find some way to use it in some other way but I just don't know what it is I'm not convinced. Jim, action item. Yeah, my advice for data managers is to start to segment your data sets into those that are forgettable under GDPR and those that are unforgettable. The forgettable ones is anything that has publicly identifiable information or that can be easily aggregated into identifying specific attributes of specific people whether they're in Europe or elsewhere is a secondary issue. The unforgettable is a stuff that it has to remain in violet and persistent and can that be deleted and so forth? All the unforgettables are suited to writing to one or more blockchains but they are not kosher with GDPR and other privacy mandates and focusing on the unforgettable data whatever that might be then conceivably investigate using blockchain for distributed access and so forth but bear in mind that blockchain is just one database technology among many in a very hybrid data architecture you got somebody wait to skin the cat in terms of HDFS versus blockchain versus no SQL variants. Don't imagine because blockchain is the mania of the day that you got to go there. There's lots and lots of alternatives. All right, so here's our action item overall. This week we discussed on action item the coming confrontation between GDPR which has been in effect for a while but actually fines will start being levied after May 25th and blockchain. GDPR has prescribed relatively strict rules regarding a firm's control over personally identifiable information. You have to have it stored within the bounds of the EU if it's derived from an EU source and also it has to be forgettable. That source if they choose to be forgotten the firm that owns that data or administers and stewards that data has to be able to get rid of it. This is in conflict with blockchain which says that the ledgers associated with a blockchain will be first of all fully distributed and second of all immutable and that provides very powerful application opportunities but it's not GDPR compliant in the face of it. Over the course of the next few years no doubt we will see the EU and other bodies try to bring blockchain and blockchain related technologies into a regulatory regime that actually is administerable as well as auditable and enforceable but it's not there yet. Does that mean that folks in the EU should not be thinking about blockchains? We don't know, it means it introduces a risk that has to be accommodated but we at least think that what has to happen is data managers on a global basis need to start adding to it a concept of forgettable data and unforgettable data to ensure that it can remain in compliance. The final thing we'll say is that ultimately blockchain is another one of those technologies that has great science fiction qualities to it but when you actually start thinking about how you're going to deploy it there are very practical realities associated with what it means to build an application on top of a blockchain data store. Ultimately our expectation is that blockchain will be an important technology but it's going to take a number of years for knowledge to diffuse about what blockchain actually is suitable for and what it's not suitable for and this question of GDPR and blockchain interactions is going to be an important catalyst to having some of those conversations. Once again, Neil, Jim, thank you very much for participating in Action Item today. My pleasure. And I'm Peter Burris. I'm Peter Burris and you've been once again listening to a Wikibon Action Item until we talk again.