Data protection regulations, in particular, GDPR, draw stark lines when it comes to data security, data privacy and the rights of users to control access to personal data — including the right to be forgotten.
Blockchain, in contrast, originated as a public ledger where every participant has access to the entire blockchain. In addition, blockchain transactions, and by extension the data stored in a blockchain, is immutable. In other words, once recorded, a transaction and the associated transaction data cannot be erased.
It’s clear that the public aspects of the blockchain, such as Bitcoin, and the immutability of blockchain, both conflict with GDPR stipulations, but this is taking a simplistic approach to the blockchain. A blockchain does not need to be public, and although transaction data will be immutable, utilising blockchain applications does not dictate that personal data falling under GDPR protection must also be stored in the immutable blockchain.
While blockchain may appear to conflict with data privacy requirements, enterprises familiar with the versatility and the risks and rewards of adopting blockchain will know that blockchain is a malleable technology.
In fact, blockchain applications have stand-out features that closely align with GDPR expectations. Besides, where blockchain does not inherently align with data privacy principles, the effective workarounds are just a few steps away. Here are a few key ideas:
Instead of adapting blockchain applications to attain GDPR compliance, it is worth thinking of blockchain as a tool to enhance privacy. When no party obtains or handles personal data, data privacy considerations are dramatically reduced.
The Sovrin Foundation’s global identity network is an early example of how blockchain can be utilised to enable transactions that are highly reliant on sensitive personally identifiable information, without actually transmitting and sharing this information.
Creative applications of blockchain that meet privacy concerns are continuing to emerge, and it may well be that blockchain makes it far easier for enterprises to remain compliant with data privacy legislation such as GDPR.
Clearly, enterprises need to deploy a degree of creative thinking when developing blockchain applications that are GDPR compliant. Security and data privacy concerns should be at the forefront of blockchain application development.
“Blockchain definitely has a wide variety of uses; however, you should always keep data security in mind”, says Iurii Garasym, the Director of Corporate Security at ELEKS. ” It’s not a good idea to store personal or sensitive data in the plain format on blockchain. Consider using tokenisation or hashing instead. Personal data should be stored outside blockchain in some reliable storage or database. Then, the token, hash or link can be applied to the blockchain.”
Although having your personal data encrypted and then stored on the blockchain may sound pretty appealing for business, this solution will most likely never fully comply with the GDPR. Even when the encryption key is deleted, personal data is not. Therefore, the storage limitation principle requirements are not met. Especially, in case we are talking a lot about using the potential of quantum computers in the near future, keep in mind that they might be able to break this kind of encryption in a literal moment.
As always, the risk-based approach does make sense here. In most cases, a private or privileged blockchain with tokens in it and secure external storage should work best, at least for the time being.
Are you unsure about the security and compliance aspects of your enterprise blockchain application? Contact us today to see how you can adjust blockchain to meet privacy regulations, including GDPR.