Self-sovereign identity: How will regulations affect it?

In a perfect world, each user would have total control over their personal data and digital footprint. But the dream of self-sovereign identity may be inching closer to becoming a reality thanks to new regulations.

The concept of self-sovereign identity involves a decentralized system that gives individuals greater control over their personal data. Several vendors have promoted self-sovereign identity services that use blockchain as the underlying foundation of the decentralized system.

Previously, enterprises have been slow to grant users more control over their personal data. But Bianca Lopes believes that has started to change this year thanks to new regulations like the European Union's General Data Protection Regulation (GDPR), the Payment Services Directive (PSD2) and the U.K.'s Open Banking regulation.

These new laws give users varying degrees of increased control over how enterprises use their data. Lopes, formerly chief data officer of BioConnect, believes laws such as GDPR and PSD2 will push enterprises to rethink how they manage and secure the digital identities of their customers.

Here, she shares her thoughts on regulations, self-sovereign identity and the challenges ahead.

Bianca Lopes: I think you're already starting to see regulatory measures move the industry in that direction. Open Banking is an example, as I have to give consent for my data to be used and I have the right to revoke access to that data.

When you look at a lot of the blockchain systems out there for identity management, they have the ability to revoke access. So, yes, regulations are already playing a role, but the banks and large enterprises that are not thinking about this and putting identity first as a strategy are going to become further commoditized.

Take banks as an example. I find it fascinating that most banks think their differentiators are trust and advice, but it's really a lack of choice since there are only about five banks, and they're all pretty much the same.

And they don't offer advice at all because they don't even know who I am. I can't even call a bank and get someone to give me advice on a valid question without first having that representative asking me 17 different annoying questions. I think regulations will hopefully force them to think differently about identity.

At BioConnect, we had what we called the quest for rightful identity and the idea that your biometrics are rightfully yours as the user. Your eyes are your eyes, and you should be able to decide what you use them for. If you're using them to log in to your bank, there should be a mechanism that prevents the bank from making a copy of that data and keeping it [after you've switched banks]. That's a security concern. If I share that data with you today, and tomorrow you lose my trust, I should be able to revoke that access.

I think that's where technology hasn't advanced far enough yet -- not from a stand-alone technology perspective, but more from the perspective inside large organizations. It's hard for enterprises that have all these legacy systems and are divided into different siloes.

For organizations to change that, regulatory bodies have to mandate it. Otherwise, I don't think companies would. It's costly, it's difficult and it requires a different set of skills and talents that, for example, most banks don't have. It also requires them to admit that they have a problem, which most people don't like to do.

Unfortunately, we're not as close to [self-sovereign identity] as I would hope. And the other problem is this: You and I may know what GDPR and PSD2 are, but most people have no clue. There's no education about it. Most people don't understand what they're granting to get access to something, and they don't know how regulations are changing how their data can be used.