Blockchain technology and the General Data Protection Regulation (GDPR) of the European Union are without doubt two of the most trending topics of 2018. The Blockchain is the technology that underpins BitCoin and other popular cryptocurrencies, through providing mechanisms for decentralized security and trust in financial transactions i.e. without involving any trusted third party. During the last couple of years, the incorporation of the blockchain technology is seen in a variety of non-finance applications especially in sectors like energy, industry, and healthcare. On the other hand, GDPR is a recently approved regulation, which imposes new data protection requirements for all European citizens and European enterprises operating anywhere in the world. As such it affects the way enterprises handle citizens data, including the technologies that they employ to collect, process and analyze datasets. This is where Blockchains and GDPR meet: Blockchains store and process data in distributed ledger infrastructures and therefore their operation and use must comply with the GDPR Standard.
Blockchains and GDPR: Challenges and Opportunities
GDPR is structured around some core principles, including the need for transparency, fairness, and lawfulness in the handling and use of personal data, as well as for limiting the processing of personal data to specified, explicit, and legitimate purposes. Based on GDPR, data controllers and data processors must also minimize the collection and storage of personal data to what is adequate and relevant for their intended purpose, while at the same time ensuring security, integrity, and confidentiality of personal data. Enterprises take GDPR seriously given that the maximum fine for serious infringements can be as high as the greater of €20 million or four (4%) percent of an organization’s annual global revenue.
GDPR ensures that individuals have control over their personal data while being able to access, view and change them at any time. Moreover, citizens have the “right to be forgotten”, which means that they must be able to delete their data whenever they want. This right brings some tension between GDPR and blockchain technology, given that public blockchains are immutable: Once information is in the blockchain, it cannot be altered or deleted. Also, blockchains are by definition decentralized and not under the control of single-party such as an administrator. Without an administrator with “delete rights” on the blockchain, it becomes difficult to delete an individual’s personal data. Likewise, all information in a blockchain is public, which makes it accessible to anyone as a means of preventing data manipulation. As a result, there are some obvious conflicts between a blockchain’s operational characteristics (i.e. decentralization, immutability, transparency) and GDPR principles.
Nevertheless, blockchain technology presents also opportunities for boosting GDPR compliance. For example, blockchains have a public/private key system, which allows participants to send and receive data anonymously. In particular, the private key ensures access to information, while the public one makes the transactions addressable, without however linking to elements that can identify personal data. Furthermore, the blockchain’s decentralized nature alleviates the security and reliability vulnerabilities of centralized systems, which eliminates the risks of data-breaches and can, therefore, foster GDPR compliance.
Given the above-listed challenges and opportunities, when collecting and processing personal data in a blockchain, enterprises need to seek for solutions that take advantage of the benefits without compromising compliance. To this end, they have to consider the obvious implication of the right to be forgotten on the design and operation of blockchain infrastructures: Personal data cannot be stored directly on the blockchain. To alleviate this limitation, the following alternatives can be considered:
- Encrypting the data stored in the blockchain: Reading encrypted data requires access to the appropriate key. Hence, destroying the encryption key can be a solution for making the data unreadable and implementing the right to be forgotten. While this solution is technically sound, it may not be legally accepted as GDPR compliant for two main reasons. First, because the data are still in the chain, even though they are unreadable. Second, because encryption keys can be stolen, made public or even lost, which can compromise GDPR compliance.
- Storing timestamps for information located outside the chain: This solution stores only timestamps in the ledger, while keeping the actual data (including any personal data) outside of the chain. This eases the complete erasure of data as part of the right to be forgotten. Nevertheless, it raises additional security concerns and fails to exploit the blockchain’s reliability benefits. However, there are already several solutions that store the hash of transactions in the blockchain as a means of implementing the right to be forgotten.
- Private and Permissioned Blockchains: Except for public blockchains, enterprises are nowadays implementing solutions in private and controlled environments, based on the so-called private and permissioned blockchain infrastructures. The latter provide the means of defining governance schemes that allow change and deletion of blockchain data, as part of a GDPR compliant application.
Beyond technical solutions for GDPR compliance, there is always a need for accompanying legal consulting prior to ensuring the compliance of a blockchain solution. This is because the mapping of some GDPR concepts on the blockchain technology (e.g., data controller, data processor, third parties) are open to interpretation. Hence, legal experts need to verify compliance of any solutions considering the roles and responsibilities of the various stakeholders during the blockchain operation.
Based on blockchain’s benefits for implementing GDPR compliance, there are already a number of GDPR compliant blockchain-based products and services. For example, the Pillar project has implemented an open-source, multi-chain wallet that provides platform services for consumers, companies, and governments. Users of the Pillar wallet lock, control and protect their data in compliance with GDPR. Another example is the LogSentinel product that offers secure logging and audit-proof. It provides data integrity and makes it impossible to manipulate the data without detection. Moreover, it provides GDPR compliance reports along with a built-in data processing register. A third example of a blockchain-based solution for GDPR is VOLTA, which leverages KSI blockchain technology and supports governance and compliance processes for managing personally identifiable information in-line with GDPR. At the heart of the solution lies a technology that allows any type of electronic activity to be independently verified without the need for trusted third-party insiders or cryptographic keys. There are many more examples of products that leverage the capabilities of the blockchain in order to provide GDPR compliance solutions. They all tap on the opportunities that we have previously presented.
Overall, despite some obvious conflicts between GDPR principles and blockchain technology properties, it is possible to implement GDPR compliant blockchains. However, the implementation of the latter is not only a technology issue but rather needs sound legal expertise as well. Furthermore, the properties of blockchain technology make it ideal for implementing GDPR compliance solutions as implemented in the products listed above. These products are probably just the beginning: Blockchain is likely to become one of the primary GDPR compliance technologies in the years to come.