The origins of blockchain as a distributed, public ledger may at first glance suggest that it’s fundamentally incompatible with the iron-clad privacy demanded by GDPR legislation; however, blockchain has evolved. Developments such as zero-knowledge proof are well-placed to support rather than obstruct data privacy. Does it mean that GDPR compliance
and blockchain can not only coexist but enable better data privacy?
Are blockchain and GDPR incompatible?
Data protection regulations, in particular, GDPR
, draw stark lines when it comes to data security, data privacy and the rights of users to control access to personal data — including the right to be forgotten.
Blockchain, in contrast, originated as a public ledger where every participant has access to the entire blockchain. In addition, blockchain transactions, and by extension the data stored in a blockchain, is immutable. In other words, once recorded, a transaction and the associated transaction data cannot be erased.
It’s clear that the public aspects of the blockchain, such as Bitcoin, and the immutability of blockchain, both conflict with GDPR stipulations, but this is taking a simplistic approach to the blockchain. A blockchain does not need to be public, and although transaction data will be immutable, utilising blockchain applications does not dictate that personal data falling under GDPR protection must also be stored in the immutable blockchain.
GDPR compliance and blockchain: meeting GDPR requirements
While blockchain may appear to conflict with data privacy requirements, enterprises familiar with the versatility and the risks and rewards of adopting blockchain
will know that blockchain is a malleable technology.
In fact, blockchain applications have stand-out features that closely align with GDPR expectations. Besides, where blockchain does not inherently align with data privacy principles, the effective workarounds are just a few steps away. Here are a few key ideas:
- Store personal data off-chain. By using hashing that works one-way, an enterprise can make use of blockchain to store transactional data while keeping personal data stored off-chain. While the hash of the personal data will be stored on the blockchain, a one-way hash means that this hashed data will be meaningless once the off-chain personal data is deleted.
- Deploy zero-knowledge proof. In short, zero-knowledge proof implies that one party (the prover) can prove to another party that it knows certain facts without revealing those facts or revealing how these facts are known. Using zero-knowledge algorithms implies that personal data stays out of the fray, without hobbling transactional efficiency.
- Utilise blockchain’s security advantages. GDPR takes strong views on data security which aligns with the security advantages of a decentralised architecture. Blockchain doesn’t have a single point of failure which makes blockchain applications less vulnerable. In comparison, centralised data storage repositories have plenty of commonly exploited vulnerabilities.
- Build private blockchain applications. Enterprises can opt to build a private blockchain that walls off external users, limiting access to data. Applications utilising public and private keys can allow participants to exchange blockchain data anonymously, all in aid of data protection compliance.
Breaking New Ground in CSR with a Blockchain-powered Crowdfunding Charity Platform View Case Study