GDPR: Stumbling block for Blockchain?
These are interesting times. Around the world, new and emerging technologies are disrupting and transforming traditional trade practices. In Europe, a deadline is approaching (25 May 2018) for implementation of a new regulation on data protection that will contribute to this transformation for anyone doing business within the European Union (EU). The General Data Protection Regulation (GDPR), the European Parliament and the European Commission intend to strengthen data protection for all individuals within the EU. Non-compliance can lead to a fine of up to 4% of the annual global turnover of the organization.
The GDPR includes a number of provisions affecting digital identity governance that provide individuals with control over their personal data. Key provisions are:
- Right to Consent: Individuals must provide consent before their personal data can be used, and they can revoke that consent at any time.
- Right to be Forgotten: Individuals can request erasure of any or all of their personal data
- Right to Portability: Individuals have the right to receive the personal data they previously provided to a processor in an easy-to-use digital format and transmit the data to another processor.
- Right of Data Minimization: A processor can use an individual’s personal data only if it is necessary for the specific purpose. For example, using the minimum data required.
GDPR compliance is a top priority for organizations in the EU. In addition, many organizations are keen to adopt the emerging blockchain technology. While there are benefits to both, blockchain technology has the potential to disrupt operating models when viewed in conjunction with GDPR compliance.
Blockchain – The opportunities
Blockchain is a distributed database that maintains a continuously growing list of records which is called blocks. Each block contains a timestamp and link to a previous block. Each node in the blockchain has a copy of the data. Reasons why blockchains afford an opportunity, to secure personal data include:
- Cryptography and digital signatures. Blockchain technology makes use of cryptography and digital signatures to store and manage information, including personal information. Therefore, blockchains are considered relatively safe because they ensure identity authenticity and enforce read/write access rights.
- Decentralization. Currently, trusted third parties, process personal data. These entities are centralized, which make them vulnerable to cyber attacks resulting from single points of failure. Blockchain is a decentralized and distributed technology that eliminates the risk of a single point of failure.
- Traceability. Blockchain creates encrypted blocks of ordered records. Each block is inherently resistant to any data modification or deletion. This ensures complete traceability of data, making it a governance-friendly technology.
Blockchain – The challenges
Blockchain is a governance-friendly technology that ensures the integrity of data at all times. However, the very features of this technology are in direct conflict with the GDPR provisions. Two of the challenges that arise from the adoption of the GDPR are:
- Blockchains are non-editable: It is almost impossible to change or delete the information contained in the blocks¾which conflicts with the Right to be Forgotten provision of GDPR. Therefore, organizations need to be careful about how they store personal information while reaping the benefits of blockchain technology. There are organizations working to create a secured mechanism to edit or delete blocks, but this is still in the conceptual stage.
- It is unclear, who controls personal data in a blockchain: This data is maintained on every node of the distributed network which is accessible to everyone regardless of the original purpose of its collection and processing. This conflicts with the Right of Data Minimization provision of GDPR where the processor uses only the minimum personal data required for the specific process.
When considering blockchain and GDPR together, one thing that clearly stands out is the need for a fundamental change in the way personal data is managed. There is a need to provide individuals with control over how their data is used.
As has been rightly pointed out by one of my colleagues, Regulators are bound to regulate this new technology at some point or other. This, in turn, would impact blockchain innovations. As the use of big data and IoT proliferates, there is no doubt that blockchains will become key components of future systems. However, to cope with data protection regulations, an effective framework needs to be built for blockchain applications. The framework should be such that it can maximize the benefits of this emerging technology.
In my next blog, I will present my views on how to create synergy between blockchain technology and GDPR compliance. Stay tuned...