Blockchain and GDPR, two words you don’t often see together but have been making headlines for over a year now. Are the two connected, do they work together or are they forces that inhibit one another?
What’s more, does the General Data Protection Regulation (GDPR) enforced on 25th May 2018 diminish the increasing growth of blockchain? Are there any solutions for continued technological growth with the protection of personal data in mind?
The GDPR gives data subjects the right to say how they want their information to be processed and whether or not they want their personal data corrected or deleted. On the other hand, blockchain technology creates an immutable ledger which makes it nearly impossible to alter or delete information which would be stored onto the blockchain.
So which trumps which?
First Things First, the GDPR
Well, this new data privacy law is merely an updated version of the 1995 Data Protection Directive. So, what is it? To put it simply, it is a harmonisation of data privacy laws across Europe, with the purpose to protect and empower all EU citizens’ data privacy. Is it just for EU companies? No, it also applies to anyone outside the EU who processes the data of persons in the EU.
The main actors involved in the GDPR include: the data processor, the data controller and the data subject. The data processor and the controller are the ones who process data and decide on the purpose for processing such data respectively. Whilst the data subjects are individuals whose data is collected and processed and they have been granted many new rights under the GDPR.
To use a practical example: the data controller can be compared to a chef in a restaurant, whilst the data processor is the sous chef in the same restaurant. The chef and sous chef decide on the menu and recipe of the restaurant. The data subject is the customer eating at the restaurant who is free to choose what they would like to eat and their personal preferences. If the incorrect food is sent out, the customer can request for the food to be changed or cancelled etc.
In the example above, the fact that the customer can request to change or cancel their food is a problem when relating this back to the GDPR and Blockchain. Personal data is a broad term and it includes pseudonymised or encrypted data. This is a red flag for blockchain companies. Article 17 states that a data subject has the right to be forgotten. This is a heavy burden on blockchain companies because this means that they have to edit or remove the data when an individual requests. Does the removal and editing requirement of personal data mean that the GDPR and blockchain are incompatible?
Blockchain originated from a paper published by Satoshi Nakamoto in 2008, which explained a novel approach of how to send money from person A to person B, without involving any financial third parties.
The key element of blockchain is that it is a decentralised system which eliminates the need for trust, while ensuring that a transaction is legitimate and secure. If done correctly, this has resulted in business transactions becoming more efficient and cost effective, while guaranteeing transparency and security.
Until recently, blockchain was most commonly known for the underlying technology behind cryptocurrency however, blockchain is not only limited to this use case. Blockchain can be used to provide a secure way of processing all kinds of data.
How Does it Work?
To better understand how blockchain works, first we will understand how existing technology works and we will look at how a bank transfers money as an example. Currently, when a bank transfers money from one bank to another, no actual physical currency is being sent out. Instead, such transaction is listed and tracked in a banks central electronic ledger. This system, although successful, can be slow and inefficient and will often result in high banking fees. Furthermore, this system is vulnerable to hacking and fraud.
In contrast, blockchain is a block which forms part of the current blockchain and records some or all of the recent transactions. Once this is completed, a block goes into the blockchain as a permanent database and each time a block gets completed, a new one is generated. These blocks are all connected to one another, just like a link in a chain.
A block on average is added to the blockchain every 10 minutes which would contain the transactions of the last 10 minutes. This would then be verified by other computers. Miners are the ones that gather the blocks and compete to verify them by figuring out their cryptography. If a miner is successful, then he publishes the result to other computers and also receives a monetary incentive. The blockchain is created in a way that each transaction is immutable. The data can be distributed, but not copied.
What are the Benefits of Blockchain?
- The value you own is yours as there are no intermediaries that hold your value or restrict your access;
- Any valued transaction that is transferred from anywhere around the world is cost effective and can be done in a few minutes;
- A transaction may be secure after a few hours as opposed to a few days;
- Anyone, anywhere, at any time, can validate a transaction on the blockchain; and
- Any exchange of information is done in a synchronous system and is constantly updated which lowers the risk of hacking.
The Bottom Line — Can Blockchain Innovation Occur in Compliance with the GDPR?
Some benefits that can be drawn from the GDPR, such as transparency, are limiting the possibility of blockchain. There is a belief that being transparent is beneficial for a business, however transparency it will be reduced in some blockchain user cases. For example, it is possible to use blockchain in a GDPR-compliant manner by storing the data ‘off-chain’. However, the user will not have full certainty as to who has accessed/who will be able to access their data.
Every business has to be GDPR compliant. Businesses will now have to build this security into the business from the get-go.
Businesses are already working around the GDPR restrictions by storing data off chain and adding random data to hashes through ‘peppering’. This is just the beginning and therefore in the future, businesses will discover more ways for the GDPR and blockchain to grow together.
It is too early to make definitive statements on the end of blockchain in its public domain. The ideal solution is one which overcomes the legal challenges faced by blockchain and to offer a blockchain which is GDPR-compliant to anyone in the EU who would like to process personal data. Blockchain could then be a disruptive technology which respects data protection rights. This is something that the amazing tech minds of today can strive towards.