Blockchain – Solution or Obstacle for GDPR Compliance?

Blockchain – Solution or Obstacle for GDPR Compliance?

What is blockchain?

Not long ago we discussed in an article the way we approach security will be changed by the GDPR. Today we will tackle a more sensitive subject in the area of security – blockchains. But what exactly is blockchain? A simple definition, found on Wikipedia, states that “a blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography.”

There are a few main traits of blockchains that make them both a benefit and a challenge for data protection. First of all, blockchains are distributed and decentralized. Because of this, it is almost impossible to identify the person responsible for the data. Second, there is the fact that blockchains are public, which means that all information on the blockchain is accessible to everyone. Finally, blockchains are not editable, meaning you can’t make changes to the personal data they contain.

Now, if we go back and think about some of the requirements of the GDPR, we might start to see why the basic properties of blockchains can be both pros and cons for compliance, which we will discuss in the following paragraphs.


The Pros and the Cons of blockchain

Opinions surrounding blockchain are generally divided between those who believe it’s the best invention in terms of security and those who believe it won’t work well with the GDPR. Some say data subjects’ rights are harder to guarantee using blockchain. Others believe this is a trend that could go away any time and with it all the personal data would be gone.

Compliance with data subjects’ rights

The GDPR is essentially about data subjects rights. So the fact that blockchain protects identity by making data almost unidentifiable is at first sight a good thing. However, this is not the only right the GDPR focuses on. Other rights, such as the right to access, to have incorrect data rectified and even the right to erasure, are just as important. Here, blockchain might not be so amazing. First of all, once written to a blockchain, data will be technically impossible to erase. This contradicts the right to erasure, or the right to be forgotten. In the same manner, the fact that the identity of the data subject is completely hidden makes it hard to comply with the right to access or to rectification.

Controllers, processors and jurisdiction

Another issue is the uncertainty as to who is the controller of the data. To be fully compliant to the GDPR, the controller should be visible, known. The aim is for the data subject to know at all times who is processing their data. On the other hand, this is seen by some an advantage. How so you might ask? Because the controller and/or the processor do not have full control over the data. This power is considered to be in the hands of the data subject when using blockchain.

Furthermore, a single blockchain may involve computers located in various countries. According to Article 3 of the GDPR:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

The reality is, in this instance, blockchain seems to complicate life instead of making it easier. Having multiple data controllers, located around the world does not make it easy to establish the jurisdiction. Given the prerogatives of Article 3, most of those using blockchain will find they need to be compliant regardless of where they are in the world.


DPIA and blockchain

The GDPR requires data protection impact assessments to be performed before the processing. If you are not familiar with the topic of DPIA, you can read more about it in our blog post here. While some blockchains are designed for non-personal data like bills of lading or letters of credit, some are used precisely for personal data. This later category will require a DPIA before being processed. In theory, blockchains are extremely secure. A company relying on this technology will however need to prove their system is robust. The greatest comparison seems to be with traditional cloud-based systems. Does blockchain provide a system at least as robust or even more robust than them? The many cryptographic layers seem to suggest it does. The GDPR does not work with mere impressions and companies will need to provide solid proof of their claims.


Identity management

Can blockchain be used for identity management? ‘Yes it can and it will’, comes a first batch of answers. ‘No way’, says the second wave. Like pretty much every aspect surrounding this bit of technology, opinions are divided when it comes to identity management as well. Opposers base their ideas on the fact that the blockchain is meant to allow strangers to exchange real value in a reliable way. At its very core is the fact that it works without identity. At the other spectrum are those who say that with blockchain the data subject is in complete control of their personal data. They decide how much they want to share and when. TechCrunch has a great article about blockchain for identity management, which exposes pretty nicely both the pros and cons of the practice.


Final thoughts

Whether you are for or against it, one thing is certain: blockchain is here to stay for a while. Considering the GDPR frenzy has only just begun, we will probably hear a lot more about these two and how they interact with one another in the future.


Photo credit: Davidstankiewicz (Own work) [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons

Share:

About the author

Laura Vegh is the Chief Security Officer at UNLOQ.io, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.