Is it Possible for Blockchain and GDPR to Coexist?

In Europe, a new privacy regulation went into force on May 25th, 2018. The GDPR, or General Data Protection Regulation, gives EU residents more control over who has access to their personal information and what happens to it. It’s why you’re inundated with popups requesting your permission to collect and process your personal information. It’s the same reason why e-mail newsletters ask if you’re still interested, and why many companies are suddenly making it easy to obtain a copy of the information they hold on you.

Companies all across the world are working swiftly to ensure that they are GDPR compliant, as failing to do so could result in significant fines. However, because blockchain technology is revolutionizing the world, what happens when a blockchain contains personal information? The difficulty with blockchain data is that it is:

Data recorded on a blockchain is open, transparent, and immutable, which means it cannot be changed or wiped.
These are inherent characteristics of the technology that cannot be modified while also appearing to be ineffective in terms of enforcing privacy.
The General Data Protection Regulation (GDPR): What You Need to Know

Before we go into the GDPR’s compliance requirements, let’s define a few terms that are often used:

Data Controllers – Companies that hold your data are designated as data controllers under EU legislation. Facebook, Google, Apple, and other well-known instances come to mind.
Data Processors – Data processors are companies that work with your data to evaluate it. Google Analytics, Moz Analytics, Socialblade, and other similar tools are examples.
In most circumstances, the Data controller and Data processor are the same company; however, the Data controller has the duty of GDPR compliance. It’s also worth noting that the GDPR only applies when personal data of EU nationals is at stake. Any corporation that stores information about EU citizens, including Facebook and Apple, must adhere to the regulations.
Personal data, according to EU law, is any information about an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity. This is a broad definition, but it simply means that any data that may be directly or indirectly linked to you, such as an IP address, a Bitcoin wallet address, a credit card, or any transaction, qualifies as personal data.

The three GDPR articles that are incompatible with blockchain properties

Articles 16,17, and 18 of GDPR make life tough for businesses who want to use a distributed ledger network to conduct their operations.

Article 16 of the GDPR permits EU persons to update or modify personal data held by a data controller. You can not only modify the information they have on you, but you can also add new information if you believe the current information is erroneous or missing. The issue is that while adding new data isn’t a difficulty in a distributed network, modifying it is.
Article 17: The “right to be forgotten” is discussed in this article. Because data cannot be deleted from a blockchain, this piece directly contradicts the data protection regulation.
Article 18: The “right to restrict processing” is discussed in this article. Essentially, this prevents corporations from using your information if it is false or was obtained unlawfully.
One of the most significant drawbacks of a blockchain is that it is entirely open, allowing anyone to obtain a copy of your data and do whatever they want with it. As a result, you have no control over who processes your data.
Possible coexistence solutions!

Encryption – Encrypting personal data before storing it on a distributed network is a popular method. This means that the data is only accessible to those who have the decryption key. When this key is lost, the data is rendered unusable. Some governments, such as the United Kingdom, acknowledge this, but others believe that strong encryption is still reversible. With developments in computation, it’ll only be a matter of time before encryption is broken at a faster rate, allowing personal data to be accessed once more. The debate over encryption continues.

Permission Blockchains – Anyone can add new data to a public blockchain, and the data is available to everyone. A permission blockchain, on the other hand, restricts access to a small number of well-known and trusted stakeholders. This satisfies Article 18’s requirement for permission distributed networks. However, it does not conform with Article 17, which protects the right to be forgotten. The data is immutable and cannot be erased or modified even when it is part of a permission chain. The data could be stored on a secure server with read and write access as a feasible option. We next use a hash function to store a reference to that data on our blockchain. This hash can be stored on the blockchain. Hash functions are commonly used to check the integrity of files on a secure server. Hash functions, on the other hand, cannot be reverse engineered to reveal data. If we delete the data from the server, the hash function is rendered meaningless, and personal data is no longer accessible.

This isn’t an elegant approach because blockchains are decentralized, and by employing a secure server, you’re re-centralizing.

Zero-Knowledge Proof – A zero-knowledge protocol is a mechanism through which one party (the prover) can prove to another party (the verifier) that they know a value x without revealing any other information. This is ideal for confirming things like age-gates without having to divulge birthday information to data collectors. Outside of blockchains, zero knowledge proof may be a viable solution to GDPR.

What do you think?

Written by Jordana Williams

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

What Makes Cryptocurrency So Valuable?

In the Blockchain World, Hyperledger What Sets It Apart From Other Alternatives?