Blockchain and GDPR- Exploring Challenges and Opportunities
Blockchain is an immutable ledger that records the history of transactions. This digital database stores the transaction data on multiple connected computers called nodes. The consensus algorithm updates the data and transaction details. The decentralized nature of blockchain ensures transparency to the core. At the same time, it is aligned to offer data security.
European Union’s general data protection regulation(GDPR) is a legal framework to ensure and give full control of an individual’s personal data. Along with addressing the raising issues on data privacy, GDPR clearly defines the use of personal data for commercial needs. It also includes the deletion of data that the data controllers need to ensure.
- Tensions between Blockchain and GDPR / Point of conflict between blockchain technology and GDPR
- Blockchain addresses GDPR challenges
- Overcoming the compliance issues
- Future developments
Tensions between blockchain and GDPR
Blockchain and GDPR are two different entities that work based on personal data processing. In blockchain, any data is processed in a decentralized environment. At the same time, personal data should be controlled by centralized actors according to GDPR. The decentralized nature of the blockchain is not the main cause of tension here. It is the absence of an identifiable centralized authority the major cause of tension.
Personal data processing
Hashing and encryption are used in blockchain to handle data. One of the major tension between GDPR and blockchain technology is whether personal data become anonymous when it is hashed or encrypted. As this data cannot be linked with an identifiable person it may reduce the risk but cannot compliant with the regulations of GDPR. There is a chance for reidentification of personal data where risk arises again.
Role of data controllers in a decentralized environment
GDPR envisages the necessity of identifying an authority to determine the purpose and means of processing personal data. But the decentralized nature of blockchain where everyone can participate creates a difficulty here. In a private blockchain, the central controller will have the role of a data controller while in a public blockchain, there is no central data controller to process data agreements according to GDPR regulations.
Implementation of data subjects rights
The data controllers in private blockchain need to implement data processing agreements and need to meet regulatory obligations. GDPR accentuates “clear allocation of responsibilities” and in a public blockchain, there is no central controller or processors and it cannot ensure accountability.
Blockchain addresses GDPR challenges
Any organization under European Union that offers services or goods either paid or unpaid for any business needs to be compliant with GDPR. Even without a physical presence, such organizations have to follow GDPR guidelines. When GDPR offers better control over an individual’s personal data, blockchain has a different goal. It discusses how data is managed or modified.
Data can be modified or removed from blockchain?
Data once added as a block cannot be modified or changed in the blockchain. Any edits made will be added as a new block. In compliance with the right to erasure in GDPR, an individual can keep the private data in an off-chain data store with a cryptographic hash. At any time, this data can be removed without any trace.
Who is responsible for the data in blockchain?
Data controllers need to ensure data security by implementing relevant technical and organizational methods in compliance with GDPR. Blockchain uses cryptography to ensure transaction confidentiality and prevent unauthorized access. Consent of the data subject is also to be considered when handling the data.
Overcoming the compliance issues
The immutable nature of blockchain and data privacy laws that GDPR addresses establish two different goals but assure the same security. While blockchain is a decentralized application, GDPR helps the individuals to have full control over their data. Addressing compliance issues is the need of the hour. Researches are progressing and the result will be reflected soon.
Permissioned blockchains to mitigate the problem
Implementing a private permissioned blockchain by authorizing a select number of approved participants is a solution. These participants must follow certain consensus practices to ensure data privacy. In such case, any misbehavior is easy to identify. This will assure more responsibility in data processing by giving more centralized control.
Limiting personal data storage on blockchains
Limiting access to personal data or any application that handles data on natural persons is one of the best ways to address the laws and regulations concerned with personal data privacy. Storing personal data as a payload on the blockchain can be avoided and can allow certain access control mechanisms to get storage managed easily.
Blockchain technology is undergoing rapid changes with an abundance of opportunities. Along with its growth, it creates compliance issues in terms of data privacy or protection with respect to GDPR. The compliance challenges depend upon the nature of blockchain and the information processed through it.
All future technical developments related to blockchain need to focus on addressing the issues of scalability and accountability in compliance with GDPR. Zero-knowledge proofs, stealth addresses, homomorphic encryption, state channels, ring signatures, the addition of noise, etc. are some of the techniques that can be brought to enhance GDPR-blockchain relation.