Can blockchain and GDPR coexist?
If you didn’t know what the GDPR was a few weeks ago, I can guarantee that you know what it is now. The GDPR came into force on the 25th of May and it has totally overhauled privacy for EU citizens. But do some of these regulations have the capacity to cut some of the benefits of blockchain technology? Or will DLT actually increase the effectiveness of the new laws?
According to many, the answer is “a little bit of both”. In many ways, the blockchain can actually reinforce the need for individual privacy when it comes to online transactions as GDPR and blockchain actually have a few goals in common. A traditional centralised database doesn’t give individuals much control over their data and how it is managed or disclosed. DLT means that they can freely decide the scope of the data that is shared, as well as its recipients. It also allows users to mitigate certain security risks regarding the sharing of personal information.
Challenges and requirements
A recent paper from a student at the University of Zurich addressed some of the potential challenges and requirements that are involved in preparing blockchain networks for the enforcement of the GDPR. It was suggested that blockchain and torrent technologies could be a part of a new foundation for decentralised platforms that will help to provide safe and secure data storage as well as processing that allows users to retain full control over every aspect of their data.
The blockchain will allow any shared data to be fully encrypted and then validated on the network and by including a Personal Certificate Authority, this means that users can limit data sharing to specific recipients, ensuring GDPR compliance.
There are, however, some DLT arrangements that may need to be rethought and tweaked accordingly. Any entity that employs or exchanges data with European customers or partners is subject to the rules, even if they are not based in the EU. The rules are designed to harmonise the data protection laws in the EU which were very out of date, as well as providing more protection and empowerment for EU citizens data privacy.
Points to be addressed
To ensure that a blockchain meets the requirements that are imposed by GDPR, the following points need to be addressed and considered.
The blockchains public nature: If both the public key and the hashed transaction data can be linked to an individual person then they are both considered as personal data and as such would fall under the scope of GDPR.
Immutability: The fact that DLTs are immutable is not in harmony with the GDPR as the right to be forgotten is one of its core points. Contrast this with the fact that one of the selling points of blockchain is that data entered into it cannot be edited, changed, or removed and it presents a problem. Whilst this can be addressed through fully migrating the blockchain, this is an expensive and long-winded effort.
Transferring data out of the EU: DLTs and blockchains are built on nodes that are then distributed across globe-spanning networks- the complete opposite of what the GDPR is trying to achieve. However, on the public blockchain, each node should contain an exact copy of the complete ledger and can, therefore, be considered as a controller of personal data under the scope of the GDPR.
Anonymisation vs pseudonymisation: Whilst steps can be taken to avoid storing personal information on the blockchain, or keeping it completely anonymous, with GDPR the threshold for data anonymisation is very high. Methods such as encryption, hashing, and tokenisation don’t usually provide anonymisation but rather pseudonymisation and encrypted data can often still be traced back to an individual.
In terms of GDPR, a user is considered to be safe when they have full power over the data that is shared on the platform. This is a rather ambitious goal to achieve but in a time when user trust in how companies handle their data is at an all-time low, ensuring compliance with GDPR would help to restore confidence. By decentralising data ownership via the use of the blockchain, it means that every user has a small chunk of the data which does make it much harder to pack and obtain personal information through illegitimate means.
Are you looking for ICO Legal Advice? Click this link to know more.