Are blockchain and GDPR incompatible?
Data protection regulations, in particular, GDPR, draw stark lines when it comes to data security, data privacy and the rights of users to control access to personal data — including the right to be forgotten.
Blockchain, in contrast, originated as a public ledger where every participant has access to the entire blockchain. In addition, blockchain transactions, and by extension the data stored in a blockchain, is immutable. In other words, once recorded, a transaction and the associated transaction data cannot be erased.
It’s clear that the public aspects of the blockchain, such as Bitcoin, and the immutability of blockchain solutions, both conflict with GDPR stipulations, but this is taking a simplistic approach to the blockchain. A blockchain does not need to be public, and although transaction data will be immutable, utilising blockchain applications does not dictate that personal data falling under GDPR protection must also be stored in the immutable blockchain.
GDPR compliance and blockchain: meeting GDPR requirements
While blockchain may appear to conflict with data privacy requirements, enterprises familiar with the versatility and the risks and rewards of adopting blockchain will know that blockchain is a malleable technology.
In fact, blockchain applications have stand-out features that closely align with GDPR expectations. Besides, where blockchain does not inherently align with data privacy principles, the effective workarounds are just a few steps away. Here are a few key ideas:
- Store personal data off-chain. By using hashing that works one-way, an enterprise can make use of blockchain to store transactional data while keeping personal data stored off-chain. While the hash of the personal data will be stored on the blockchain, a one-way hash means that this hashed data will be meaningless once the off-chain personal data is deleted.
- Deploy zero-knowledge proof. In short, zero-knowledge proof implies that one party (the prover) can prove to another party that it knows certain facts without revealing those facts or revealing how these facts are known. Using zero-knowledge algorithms implies that personal data stays out of the fray, without hobbling transactional efficiency.
- Utilise blockchain’s security advantages. GDPR takes strong views on data security which aligns with the security advantages of a decentralised architecture. Blockchain doesn’t have a single point of failure which makes blockchain applications less vulnerable. In comparison, centralised data storage repositories have plenty of commonly exploited vulnerabilities.
- Build private blockchain applications. Enterprises can opt to build a private blockchain that walls off external users, limiting access to data. Applications utilising public and private keys can allow participants to exchange blockchain data anonymously, all in aid of data protection compliance.
How blockchain can be a privacy enabler
Instead of adapting blockchain applications to attain GDPR compliance, it is worth thinking of blockchain as a tool to enhance privacy. When no party obtains or handles personal data, data privacy considerations are dramatically reduced.
The Sovrin Foundation’s global identity network is an early example of how blockchain can be utilised to enable transactions that are highly reliant on sensitive personally identifiable information, without actually transmitting and sharing this information.
Creative applications of blockchain that meet privacy concerns are continuing to emerge, and it may well be that blockchain makes it far easier for enterprises to remain compliant with data privacy legislation such as GDPR.
Utilising blockchain in the presence of GDPR
Clearly, enterprises need to deploy a degree of creative thinking when developing blockchain applications that are GDPR compliant. Security and data privacy concerns should be at the forefront of blockchain application development.
Although having your personal data encrypted and then stored on the blockchain may sound pretty appealing for business, this solution will most likely never fully comply with the GDPR. Even when the encryption key is deleted, personal data is not. Therefore, the storage limitation principle requirements are not met. Especially, in case we are talking a lot about using the potential of quantum computers in the near future, keep in mind that they might be able to break this kind of encryption in a literal moment.
As always, the risk-based approach does make sense here. In most cases, a private or privileged blockchain with tokens in it and secure external storage should work best, at least for the time being.
Are you unsure about the security and compliance aspects of your enterprise blockchain application? Contact us today to see how you can adjust blockchain to meet privacy regulations, including GDPR.