GDPR and Blockchain: Managing implications and impact
The European Union’s (EU) General Data Protection Regulation (GDPR) applies to the personal information of any natural person regardless of nationality of residence within the territory of EU. GDPR has enshrined upon the data subjects with a series of rights enabling individuals to have a better control over their personal information in relation to why it is collected, how it is collected and processed, where it is stored and for how long it will be stored. The said regulation is a by-product of the deliberation and evolution of the European Directive 95/46/CE which pertains to personal data protection.
Blockchain, on the other hand, has transformed how entities transact with each other by eliminating the role of third parties to assist, be it about financial transactions or record-keeping activities. It is projected that Blockchain would be widely used in the near future as a decentralised way of conducting business and consuming services and hence, it is pertinent to analyse the said technology under a GDPR-coloured lens considering the array of derivations possible through the use of Blockchain and the challenges posed by privacy measures while developing such derivations.
Introduction to Blockchain
Blockchain is a distributed ledger technology (DLT) that records digital interactions in a way that is designed to be secure, transparent, immutable, and auditable, without having to rely on a trusted intermediary. The said technology is designed in this way so that the role of intermediaries is limited, processes are simplified and new operating models and workflows are created. Blockchain, as a non-editable network, represents security and integrity. As a technology, Blockchain is tamper-proof in theory since it operates using a cryptographic identity that is unique to each block. Moreover, through Blockchain, data generated on the web will not be processed and stored into a central server but on local devices of users connected to the network. Hence, in this decentralized architecture, the users can communicate to one another without intermediaries.
Challenges posed by GDPR on utilisation of Blockchain
GDPR ensures protection of individuals in relation to the processing of personal data and provides for certain data subject rights, security safeguards and accountability measures that will need to be complied with by the organizations. However, GDPR poses various challenges to the utilisation of Blockchain as a technology because it is essentially un-editable and the data elements on various blocks cannot be altered with if a platform is Blockchain enabled. Some of these challenges are:
- Right to erasure/be forgotten: Blockchain, being a tamper-proof network, contradicts with the data subject’s right to rectification, access and/or erasure.
- Accuracy of data: It is imperative for personal data to be accurate and up-to-date and it must be in consonance with the purpose for which it was collected. However, this poses a challenge since, currently, there is no way to modify or alter the information stored on Blockchain.
- Storage limitation: GDPR mandates that personal data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. However, currently there is no method of contingent removal, when the purpose for which data was collected gets exhausted.
- Confidentiality and Integrity: As per GDPR, personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
In such a scenario, it has become critical for technologists and researchers to indulge and invest in Research & Development (R&D) pertaining to Blockchain-enabled technology to be editable without losing its security and integrity.
How can organizations deal with Blockchain?
Organizations can implement various tools and measures to protect data on Blockchain-enabled applications and ensure compliance with privacy laws across jurisdictions, such as-
- Storage limitation: Hashing solutions (a technique that consists of replacing one unique attribute in a record by another using a hash function) can be implemented by entities in cases where data needs to be made unreachable on a Blockchain. The entities can remove the data related to a particular hash from the external database which would result in the hash becoming a mere number with no correspondence, making the Blockchain information scrambled or unreachable.
- Privacy by design: Privacy by design, as a requirement, could be implemented via technical safeguards such as encryption. For example- two separate nodes on a Blockchain can create a private channel and encrypted personal data can be shared through this channel; by simply storing the hash of the encrypted data on the common Blockchain network, the content of the encrypted data would become non-viewable since only the hash corresponding to the said communication would be available for viewing and not the content of the communication itself.
- Data Protection Impact Assessment (DPIA): GDPR requires companies that process personal/sensitive data to conduct a DPIA before implementing any new process/solution/technology (such as Blockchain) or client/vendor engagement so as to ascertain a systematic description of the operations that involve data elements and their purpose, including the proportionality and necessity in relation to the purpose.
Blockchain networks are public and transparent. As a rule, all information on a Blockchain, which may include personal data, is accessible to everyone. Having said that, Blockchain is a secure network since technologies such as cryptography (digital signatures, encryption, time-stamping) provide for a safe and secure way of storing and managing information. Moreover, embedding privacy in Blockchain could be achieved by incorporating techniques such as hashing, private channels, or both. However, the said techniques should be subjected to legal screening before being embedded into the Blockchain against the applicable privacy laws over and above being scrutinized in terms of its fitness in relation to the procedures and workflows of the organization in question. What is noteworthy is that both Blockchain and GDPR share common principles of data privacy considering that both warrant users to be in charge of their own digital private data, be it payment details in the case of bitcoin, or personal data that is disclosed while engaging in transactions over Blockchain networks. Hence, it appears that Blockchain-enabled services could very well address the regulatory and legal challenges with the incorporation of right techniques and understanding of the applicable legal and regulatory privacy framework.
By Ahmar Zaman, Guest Writer