世界经济论坛-供应链区块链的包容性部署：第4部分 - 保护您的数据（英文）-2019.9-29页.pdf

White PaperInclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your DataSeptember 2019World Economic Forum91-93 route de la CapiteCH-1223 Cologny/GenevaSwitzerlandTel.:+41(0)22 869 1212Fax:+41(0)22 786 2744Email:contactweforum.orgwww.weforum.org 2019 World Economic Forum.All rights reserved.No part of this publication may be reproduced or transmitted in any form or by any means,including photocopying and recording,or by any information storage and retrieval system.This white paper has been published by the World Economic Forum as a contribution to a project,insight area or interaction.The findings,interpretations and conclusions expressed herein are a re-sult of a collaborative process facilitated and endorsed by the World Economic Forum,but whose results do not necessarily represent the views of the World Economic Forum,nor the entirety of its Members,Partners or other stakeholders.3Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your DataPreface1.Deploying blockchain technology:the need for data protection and practical efficiencies2.Reality check:obligations in relation to data3.Protecting commercially sensitive data 4.Data protection compliance:GDPR as a lens 5.Blockchain solutions for commercially sensitive data and data protection compliance6.Reconciling blockchain and data confidentialityConclusionAppendix 1GlossaryContributorsEndnotes56771015212223242527Contents4Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your Data5Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your DataPrefaceThe deployment of blockchain and other distributed ledger technologies in supply chains offers considerable advantages.Nevertheless,their deployment and implementation can raise concerns about how best to both meet data protection laws and protect commercially sensitive data.1 Supply chain actors may be unwilling to take on what they perceive as additional legal risk,especially if data protection obligations become,or are seen to become,unduly burdensome.The European Unions General Data Protection Regulation,for example,is at the forefront of a new wave of data protection legislation globally,and brings with it important practical and regulatory obligations,with the potential for significant fines in cases of non-compliance.With respect to safeguarding commercially sensitive data in supply chain transactions,the deployment of blockchain may lead to a perceived loss of control,raising questions about security,access rights and how to structure blockchain solutions:e.g.whether only some subsets of data should be shared on the blockchain and/or whether data sharing should be limited to only those parties involved in the transaction.Within this context,this paper provides practical introductory guidance to supply chain actors who seek greater confidence as they navigate the implications for the protection of data when deploying blockchain solutions.This is the fourth white paper in a series and part of a broader project focused on the co-creation of new tools and frameworks to shape the deployment of distributed ledger technology in supply chains towards interoperability,integrity and inclusivity.The World Economic Forums Centre for the Fourth Industrial Revolution is working with a multistakeholder group to produce a project that includes:A series of white papers published in 2019.Collectively and individually,these papers will offer insights and investigations into specific considerations for decision-makers to harness blockchain technology responsibly.2 A concise,easy-to-use toolkit to be released at the beginning of 2020 covering important topics for supply chain decision-makers to consider for responsible blockchain deployment,including a section on data protection to meet commercial and compliance considerations.A blockchain and distributed ledger technology primer is available in Part 1 of this white paper series,Inclusive Deployment of Blockchain for Supply Chains:Part 1 Introduction(April 2019),3 which readers may find useful to read in conjunction.This paper builds on that work in order to articulate,in simple terms,important blockchain and distributed ledger technology concepts as they relate to data protection compliance and commercial data confidentiality considerations.Anne Josephine Flanagan,Project Lead,Data Policy,World Economic ForumNadia Hewett,Project Lead,Blockchain and Distributed Ledger Technology,World Economic Forum6Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your Data1.Deploying blockchain technology:the need for data protection and practical efficienciesThe great value proposition of deploying blockchain and other distributed ledger technologies(herein referred to as“blockchain”)in supply chains is that they may enable collaborative commerce without the need for a(potentially costly)third-party intermediary operating between parties that may not know or trust each other.The distributed nature and other features of these technologies can allow for greater transparency,identification of stakeholders,transfer of assets,new financial opportunities and increased accuracy in forecasting and planning,leading to more efficient and profitable operations in supply chains.While most companies and government entities want to realize these goals,there are countervailing concerns regarding data protection,privacy and the confidentiality of certain information.In the course of selecting and deploying a blockchain solution,a supply chain operator should understand how blockchain protocols address both their data protection and privacy concerns4 and those of other supply chain partners(including any concerns about potentially revealing commercially sensitive data)early in the process so as to ensure that such concerns can be adequately met for all supply chain partners.However,in Deloittes 2019 Global Blockchain Survey,half of respondents cited privacy-related regulations as a matter of concern markedly more than any other choice of blockchain regulatory issue.5 In many cases,data protection and privacy are enforced by legislation,e.g.the GDPR,or by commercial or supplier/client contract(covering client or commercial confidentiality),but blockchain technology affects how we address these protected rights and legitimate commercial concerns and can require complicated analysis.6 This paper aims to provide an overview of the most common concerns regarding(a)data protection regulation;and(b)commercial confidentiality as raised by supply chain actors when considering blockchain solutions.The paper does not examine the multitude of technical layers,complexities,hypotheticals and exceptions that exist within blockchain and distributed ledger technology,though the authors recognize their existence and importance.Specifically,this paper:Highlights important considerations in respect of(a)commercially sensitive data;and(b)data protection regulatory compliance(page 7 to 15)Examines the most accessible blockchain solutions available to overcome these data protection and privacy needs(page 16)Identifies some basic trade-offs in deciding which of these blockchain solutions represent the best fit(page 22)The paper will make several important assumptions to guide a more robust analysis of these issues:Given the international nature of supply chains,we will use the GDPR as a proxy for regulatory compliance obligations.The GDPRs standards are some of the most rigorous in the world and this lens of analysis will allow us to focus on the substance of the data protection principles at play.Compliance with regulations is jurisdiction-and use case-specific,however,and supply chain actors should obtain specialist advice on their individual jurisdictional requirements.This white paper does not discuss data access or localization laws,which may apply to data beyond personal information,but it is important to note that these restrictions may also have implications for any blockchain-enabled solution.In addition,the EUs ePrivacy Directive7 is closely related to the GDPR and imposes legal obligations ensuring the privacy of electronic communications and data in transmission.An examination of the blockchain implications of the ePrivacy Directive is also beyond the scope of this white paper.Similarly,there is no such thing as a typical supply chain or a typical blockchain-centric solution when applied holistically users of this toolkit should adapt the recommendations and analysis to their own specific supply chain context,use case and blockchain design.Supply chain-specific industry standards,customs and border protection,or sustainable or environmental requirements that require the collection and verification of certain supply chain data will also not be discussed in this paper.7Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your Data2.Reality check:obligations in relation to dataData confidentiality on the blockchain roughly bifurcates into issues of(a)commercially sensitive data;and(b)data that must be protected for regulatory compliance reasons.Many use cases will touch upon both sets of issues,but it is important to think of them as separate concepts since they are motivated by entirely different concerns and have differing implications.Below,we work through various considerations in respect of each category of concern.No supply chain actor will share its commercially sensitive data(whether via blockchain or otherwise)with its supply chain partners unless it can maintain its current competitive and informational advantages.The following outlines the most common baseline requirements for sharing data.Each of the examples is a real use case,with names hidden to protect confidentiality.Transactions in a supply chain ecosystem cannot be fully transparentWhile supply chain actors are interested in using blockchain precisely because it allows for transparency and visibility across multiple tiers upstream and downstream,it is undesirable to reveal data to this extent.First,many critical operational points in supply chains rely on a lack of transparency.One particular supply chain,for example,may legitimately try to enforce a lack of visibility about the identity of upstream suppliers,the prices paid by downstream suppliers,the true length of a cash-conversion cycle,the status of regulatory compliance,true levels of demand and available inventory,and details about the production process.Secondly,if confidential information such as trade secrets needs to be revealed to regulatory bodies,for instance,customs and oversight agencies,they are revealed for compliance purposes only and in strictest confidence.This information cannot and should not be shared across the supply chain where it would be visible to other actors.Even if this data is aggregated without important identifiers,the possibility of analysing trends and patterns for economic advantage is too great for most supply chain partners to consider this level of openness.Confidential information has to stay confidentialOne may wonder why two supply chain partners transacting with one another would want to keep certain information from the other and yet log that information onto the blockchain.There are two reasons:They believe that there is value in having the blockchain serve as a single source of truth for authenticated supply chain data so that participants can extract the particular data they need,and The practical challenges of understanding what should be obfuscated and what can be revealed during a one-to-one integration process are too immense.3.Protecting commercially sensitive dataExample:Information is on blockchain but has to stay confidentialLets take a look at an example:An electronics contract manufacturer(CM)provides vendor-managed inventory services to its buyer,a large electronics original equipment manufacturer(OEM).The CM has been bundling storage,insurance and financing costs into its ultimate price for the finished goods to the OEM.The CM would now like to obtain supply chain finance on the blockchain,which will entail revealing to the OEM what their current financing costs are without revealing the other costs,or their own financing arrangements with the Tier 2 supplier.The financier providing the capital will want to know all of this information and is willing to offer more competitive financing precisely because of this visibility.For a distributed ledger system to have real commercial value,the CM would need to be able to share information on a secure,need-to-know and one-to-many basis with any counterparty,but there is not a pre-blockchain solution that presents a practical way of doing so.8Inclusive Deployment of Blockchain for Supply Chains:Part 4 Protecting Your DataCompanies want to use ecosystem data in forecasting and planning without revealing raw dataCollaborative planning across a supply chain based on the sharing of accurate demand forecasts,inventory levels on hand and production estimates has long been a goal for optimizing supply chain operations.In terms of logistics,ocean carriers need rolling forecasts from their customers while inland rail operators need to know the number of inbound containers from the ocean liner and port a few weeks in advance to plan a schedule and allot resources.These are just a few examples of how the increased flow of information across an ecosystem can lead to greater efficiency and on-time delivery.However,supply chains have been unable to achieve this because there has not been an incentive to share accurate forecast information with partners and even if there was,there was no way to securely share such information across the supply chain in a coordinated and timely manner.Consider the demand forecast example.A buyer is incentivized to either inflate a demand forecast to ensure supply or secure a volume discount.Anticipating that this is the case,a supplier will therefore underproduce.A supplier,on the other hand,will likely under-report the inventory on hand if it is trying to create scarcity or inflate it if it is trying to satisfy outsized demand.The buyer will therefore adjust its actual purchases accordingly.Lack of coordination within a supply chain frequently leads to shortages or excess inventory,and the cost of such inefficiency is high enough to drive the need for greater transparency and collaboration.The supply chain partners,then,have to thread the needle of sharing information without giving away their informational advantage or revealing sensitive information.Bank and OEM need to know this informationfor supply chain finance on the blockchain.Bank currently knows this information for traditional supply chain finance.T2 SupplierVMICMOEMshipinvoiceshipinvoiceIn addition,the lack of a mechanism by which data could be shared securely and authenticated to multiple networks of platforms at the same time means that faulty data abounds even when supply chains set out with the intention